Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

bin/wcmcommand with cmd "movePage" or "deletePage" triggered for a readonly user

Avatar

Level 2

We have a filter for "bin/wcmcommad" for cmd "movePage" and "deletePage" and it is expected to perform certain operations when a Delete operation or Move operation is performed from AEM consoles. 

Although we observed that the filtered was active for a read-only user while loading the AEM sites console. We are trying to understand what could trigger "bin/wcmcommad" with cmd as "movePage" or "deletePage" from the sites console (except move or delete button - as these will be disabled for the read only user)

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hello @RishabhSinha 

 

The operations would be done from User's session. So, if the user doesn't have access, the operations would fail.

Thus, even if someone triggers it explicitly, they shouldn't succeed.

 

May be you can simulate the same request via Postman and confirm.


Aanchal Sikka

View solution in original post

6 Replies

Avatar

Community Advisor

@RishabhSinha 

 

The read-only access should take of the buttons via render condition. Also, current user session should be used by the WCMCommand OOTB. Thus, preventing the move and delete

Are you seeing any discrepancies?


Aanchal Sikka

Avatar

Level 2

Yes, I could see that the move/delete buttons are disabled for the user. But this doesn't restricted AEM to trigger "bin/wcmcommand" with "cmd" as "deletePage" or "movePage". Hence, we are trying to figure out if there is any possibility to trigger the same via any other operation as it should have happened in our case!

Avatar

Correct answer by
Community Advisor

Hello @RishabhSinha 

 

The operations would be done from User's session. So, if the user doesn't have access, the operations would fail.

Thus, even if someone triggers it explicitly, they shouldn't succeed.

 

May be you can simulate the same request via Postman and confirm.


Aanchal Sikka

Avatar

Community Advisor

Hi @RishabhSinha 
You can cannot restrict the filter based on the ACL.

you need to check this manually in the Filter and restrict operations based on user permissions.



Arun Patidar

Avatar

Level 2

Thanks! What I understood is that you are suggesting to check the user permissions in filter itself before performing any operation, and if the permission is allowed for the user to move/delete then can continue with the operation. Will give it a try.

But I am still trying to understand how "/bin/wcmcommand" got triggered for a READ-ONLY user with command "deletePage" or "movePage" so that we are sure that the servlet was only invoked via move/delete button and not via any other operation. As if it would have triggered via any other operation then we need to have a check on that scenario irrespective of the user.

Avatar

Administrator

@RishabhSinha  Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni