v15.2.0 backoffice search show to many search providers for eg. editors

[mjpraxis]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

15.2.0

Bug summary

The list of search providers should be the same as the sections that a user has access to.

Eg editors can see "Content" and "Media".
That should be the only one the can choose in the search dialog.

Specifics

No response

Steps to reproduce

Add a user with editor role

Login as this new editor user

Click the search icon in the upper right corner.

Compare the list of search providers with the sections the user has access to.

Expected result / actual result

Expected the list of search providers for editor only is "Content" and "Media".

Actually show all search providers.

[github-actions]

Hi there @mjpraxis!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[mjpraxis]

@NguyenThuyLan and if for example an editor search for an documenttype and gets some hits in the search-result.
The link to these types will not work, because the user do not have the rights to access that section.
So why show search providers that the user has no access to ?

[markadrake]

The API endpoint for this search doesn't consider the requester's permissions and doesn't filter the results accordingly.

If I'm right, this endpoint has the potential to leak or expose more information than it should to any given user.

[mjpraxis]

I have updated the title and description.
The issue is also in version 15.2.0-rc

[mjpraxis]

@NguyenThuyLan
I have updated the title and description.
The issue is also in version 15.2.0

[NguyenThuyLan]

Yes @mjpraxis , I was still able to reproduce it on 15.2.1, we will need to fix it

[andersreus]

It also shows settings-related search providers in 15.3.0-rc when logged in as an editor.