Generating URL to page user doesn't have access to results in error

I have a part with links to some content that the user doesn’t have access to. The content linked is defined in the part config, which then makes the content id available to the controller.

Then, when I use portalLib.pageUrl({id:content-id}) to generate the url, I get http://localhost/_/error/404?message=Content+with+id+[content-id]+was+not+found+in+branch+[master]

Is this intended? I would assume that the user should be able to try to access the page, but then get a 403 instead. When the user has access to the content in question, everything works as expected.

I have a workaround for this by doing link creation in a super user context, but this seems a little excessive to me.

Have you checked inside your error.js and verified that you have an exports.handle403 function there?
http://docs.enonic.com/en/stable/developer/site/errors/index.html

Yes, I have, but I don’t feel this is relevant.

I do not get an error page. The part renders fine, it is the portal lib function that fails to generate the url to the inaccessible content.

Let’s say I have a page @ site/profile. I should be able to generate an url to this page based on the page’s id, but this doesn’t seem possible. When the user tries to access this page, a 403 should be returned (which it does if I serve the url to the user manually)

Generating an url if I have the path works fine, though. It is only portalLib.pageUrl with id that fails.

I noticed this recently, but too late to do anything before 6.6 release.
I am not sure if this was intended but I agree it’s not very convenient.

As it is now if the current user does not have read permission on the content, the URL generated is an error URL.
The workaround is what you did, use contextLib.run function to wrap the pageUrl call.

1 Like

Thanks @aro! Can I inform my customer that this will likely be addressed in a future release?

There is at least one error here - returning a 404, it should be 403.

The question is: Should a portal function should reveal the name of content the user does not have access to? Also, maybe you could have checked if the user has access to the specific content before creating the link? I guess this is not that easy when links are inside html texts?

If people are comfy with getting the content name exposed to users without permissions we could have created the link directly… Maybe this could be an option?