Adobe Experience Manager Sites & More

RishabhSinha · 10/22/23

We have a filter for "bin/wcmcommad" for cmd "movePage" and "deletePage" and it is expected to perform certain operations when a Delete operation or Move operation is performed from AEM consoles.

Although we observed that the filtered was active for a read-only user while loading the AEM sites console. We are trying to understand what could trigger "bin/wcmcommad" with cmd as "movePage" or "deletePage" from the sites console (except move or delete button - as these will be disabled for the read only user)

aanchal-sikka · 10/26/23

Hello @RishabhSinha

The operations would be done from User's session. So, if the user doesn't have access, the operations would fail.

Thus, even if someone triggers it explicitly, they shouldn't succeed.

May be you can simulate the same request via Postman and confirm.

Aanchal Sikka

View solution in original post

aanchal-sikka · 10/22/23

@RishabhSinha

The read-only access should take of the buttons via render condition. Also, current user session should be used by the WCMCommand OOTB. Thus, preventing the move and delete

Are you seeing any discrepancies?

Aanchal Sikka

RishabhSinha · 10/26/23

Yes, I could see that the move/delete buttons are disabled for the user. But this doesn't restricted AEM to trigger "bin/wcmcommand" with "cmd" as "deletePage" or "movePage". Hence, we are trying to figure out if there is any possibility to trigger the same via any other operation as it should have happened in our case!

aanchal-sikka · 10/26/23

Hello @RishabhSinha

The operations would be done from User's session. So, if the user doesn't have access, the operations would fail.

Thus, even if someone triggers it explicitly, they shouldn't succeed.

May be you can simulate the same request via Postman and confirm.

Aanchal Sikka

arunpatidar · 10/23/23

Hi @RishabhSinha
You can cannot restrict the filter based on the ACL.

you need to check this manually in the Filter and restrict operations based on user permissions.

Arun Patidar

RishabhSinha · 10/26/23

Thanks! What I understood is that you are suggesting to check the user permissions in filter itself before performing any operation, and if the permission is allowed for the user to move/delete then can continue with the operation. Will give it a try.

But I am still trying to understand how "/bin/wcmcommand" got triggered for a READ-ONLY user with command "deletePage" or "movePage" so that we are sure that the servlet was only invoked via move/delete button and not via any other operation. As if it would have triggered via any other operation then we need to have a check on that scenario irrespective of the user.

kautuk_sahni · 10/26/23

@RishabhSinha Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.