Umbraco-cms: How to 'specify permissions' on an Umbraco dashboard?

As discussed here: https://our.umbraco.com/forum/using-umbraco-and-getting-started/96364-hide-redirect-url-management-from-editors

There are different opinions on this, and you are already able to solve it.

The Dashboard is not added via a manifest, but via the Dashboard collection builder. AFAIK the only way to alter the permissions for the dashboard, is to implement it as suggested.

An example on implementing access rules can be found here https://github.com/umbraco/Umbraco-CMS/blob/ecb6f93e54de1f37e83f4c85bffe81d32c86d917/src/Umbraco.Web/Dashboards/ContentDashboard.cs

Thanks @soreng. How do I find the alias of the Redirect URL Management dashboard?

Also, I seem to be running into this bug:
https://our.umbraco.com/forum/extending-umbraco-and-using-the-api/97493-dashboards-not-obeying-accessrules

What do you need the alias for?
It’s “contentRedirectManager”, found in RedirectUrlDashboard.cs

I dont see a bug report on the issue from the our-thread. Should this issue be that?

Please beware that the rules are bot applied directly in the order they are added, but grouped by type first. Have a look at https://github.com/umbraco/Umbraco-CMS/blob/ba064ba4f52033996baec62286053ce7b8b7191a/src/Umbraco.Web/Services/DashboardService.cs to see how it is implemented.

How am I supposed to add that dashboard back with permissions? I am confused. In the "Our" thread, you seem to be telling me to make a custom replacement dashboard from scratch, which is ludicrous.

I created a custom dashboard, as a test, and Umbraco does not honor the single access rule on it. How can I expect it to honor one when I add the back the dashboard that I should not have to remove in the first place? This is a mess.

You want to change something, and one option is to remove the thing that don’t fit, and add one that does.

This is how umbraco 8 is build.

In 7, Umbraco was built to handle this situation.

8 should not remove basic functionality.

I don't "want to change something". A screw-up in Umbraco 8 forces me to.

What I want is for users who should not have access to other users' content to not have access to other users' content. I ask too much?

I really don’t see it that way. You are trying to do sometime that is not an everyday task, and want to change something in the system.

I don’t think adding your own dashboard to allow for this, it that big of a task.

You cannot explain away the fact that in 7 this was a simple config setting.

Now in 8, I am a crazy man for wanting to do something that was commonly done in 7, with a simple config settting? I'm going off the rails all of a sudden?

You are battling with me instead of helping me correct a deficiency in 8.

AND, Umbraco 8 DOES NOT HONOR MY "DENY" ON MY SIMPLE CUSTOM DASHBOARD TEST.

I still see my custom dashboard when logged in as a user who is only in the admins role.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Umbraco.Core;
using Umbraco.Core.Composing;
using Umbraco.Core.Dashboards;
using Umbraco.Web;

namespace u8Dashboards
{
    [Weight(-10)]
    public class MyDashboard : IDashboard
    {
        public string Alias => "pucCustomDashboard";

        public string[] Sections => new[]
        {
            Umbraco.Core.Constants.Applications.Content,
            Umbraco.Core.Constants.Applications.Settings
        };

        public string View => "/App_Plugins/PUC/PucDashboard.html";

        //public IAccessRule[] AccessRules => Array.Empty<IAccessRule>();

        public IAccessRule[] AccessRules
        {
            get
            {
                var rules = new IAccessRule[]
                {
                     new AccessRule {Type = AccessRuleType.Deny, Value = Umbraco.Core.Constants.Security.AdminGroupAlias}
                };
                return rules;
            }
        }
    }
}

Sorry, I was not trying to battle you, but rather help you find a solution.

Me: I want to deny writers access to the Umbraco dashboard for URL rewrites--because it gives them global access to rewrites for pages outside of their restricted content node.

You: Throw away the whole dashboard and make and new one. Welcome to Umbraco 8.

In addition, I am doing all of this trickery to get to set permissions on an Umbraco dashboard, and Umbraco will not even honor my single permission on the simple custom dashboard, using the code above.

So, on a scale of 1 to 10, this "solution" is a 0.

@lcichanowicz I understand that you're very frustrated but please keep it friendly, no need for all caps posts. Also please note that @soreng is just trying to help you, something which he has no obligation to do on a Sunday night. 👍

Yes, totally agreed, we did not foresee this scenario at all in v8 and we should do something about it!

For now, the only solution is the workaround offered, which is not the ideal situation for sure, but better than nothing.
As for it not working, this is caused by the "SuperUser" (as in: the first user created in Umbraco, the user with id -1) being allowed to see all dashboards: https://github.com/umbraco/Umbraco-CMS/blob/v8/dev/src/Umbraco.Web/Services/DashboardService.cs#L70

I have tested logging in with a different admin user and the dashboard is hidden as expected.

@nul800sebastiaan, thanks for weighing in. My frustration (all caps) was with Umbraco--not with @soreng. Umbraco 8 seems like a downgrade from 7 in so many ways. Note that I was not working on the weekend for fun either. This cascade of Umbraco 8 issues was affecting a live site, with thousands of users (writers) seeing that URL Rewrite dashboard as their only dashboard--for global rewrites, exposing other user's data.

Great, that it was not directed at Søren but my comment stays the same, it's fine to be frustrated but let's put our energy in making a positive change instead of focusing on past mistakes.

I am also happy to listen to the cascade of issues that you've found, most of which we will probably not be able to magically solve for you right away, but it's great to get feedback on what people are struggling with as valuable input on what we can work with.

I like the whole "Friendly CMS" thing. I find it _un_friendly to be told a bug is not a bug. The most efficient, and least frustrating way forward to positive change, is to recognize and own the deficiency being reported. That definitely was not happening here.

I think you're confused. @soreng doesn't work for Umbraco HQ.

I do work there and the first thing I did after the weekend was to acknowledged the issue and told you I think we should work on it.

This should work:

public class MyComposer : IComposer
{
    public void Compose(Composition composition)
    {
        composition.Dashboards()
            // Remove the default
            .Remove<RedirectUrlDashboard>()
            // Add the overridden one
            .Add<MyRedirectUrlDashboard>();
    }
}

// overridden redirect dashboard with custom rules
public class MyRedirectUrlDashboard : RedirectUrlDashboard, IDashboard
{
    // override explicit implementation
    IAccessRule[] IDashboard.AccessRules { get; } = new IAccessRule[]
    {
        new AccessRule {Type = AccessRuleType.Deny, Value = "writer"},
        new AccessRule {Type = AccessRuleType.Grant, Value = Umbraco.Core.Constants.Security.AdminGroupAlias}
    };
}

Can this be easier? Yes! Ideally the interface for IDashboard could have allowed a mutable collection for access rules but unfortunately thats not the case otherwise it would have been reasonably easy. The IAccessRule themselves is mutable but that doesn't solve this problem of adding/removing rules from the dashboard definition.

We could allow adding custom filters to override rules which could look something like:

public class MyComposer : IComposer
{
    public void Compose(Composition composition)
    {
        composition.Dashboards()
            .Modify<RedirectUrlDashboard>(new IAccessRule[]
            {
                new AccessRule {Type = AccessRuleType.Deny, Value = "writer"},
                new AccessRule {Type = AccessRuleType.Grant, Value = Umbraco.Core.Constants.Security.AdminGroupAlias}
            });
    }
}

The Modify method could also allow modifying the sections.

Some things in v8 had to be rebuilt, things that relied on the legacy configuration patterns and configuration 'provider' models. The config first approach is legacy because it is inflexible, error prone, doesn't allow for modern coding standards, etc... With these components rebuilt the way they are, it is certainly possible to re-add configuration back in where it makes sense. We didn't remove file based configuration just to be annoying, it was just re-added for the 8.0 release since we need to gauge the requirement for it and whether/where it makes sense.

Thanks, @Shazwazza! I express my gratitude with a PR.

https://github.com/umbraco/UmbracoDocs/pull/2335

@lcichanowicz wonderful 🎉 Next we need an up-for-grabs task to do what I've mentioned above with the Modify method... that is if folks think its important enough

Sweet! Great addition to the docs too! 👍

I'll link to this related issue, looking into it now: https://github.com/umbraco/Umbraco-CMS/issues/7758

Hi @lcichanowicz,

We're writing to let you know that we've added the Up For Grabs label to your issue. We feel that this issue is ideal to flag for a community member to work on it. Once flagged here, folk looking for issues to work on will know to look at yours. Of course, please feel free work on this yourself ;-). If there are any changes to this status, we'll be sure to let you know.

For more information about issues and states, have a look at this blog post

Thanks muchly, from your friendly PR team bot :-)