-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Unexpected character encountered while parsing value" on save and publish #16288
Comments
Hi there @kows! Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better. We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.
We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions. Thanks, from your friendly Umbraco GitHub bot 🤖 🙂 |
Hey @kows do I understand correctly that If you manipulate the content model in SendingContentNotification by either
And then save OR Save & publish, you get the error you described? If so, could you give me a (trimmed down) code example of your notificationHandler? |
Yes and the block list editor must contain data for it to happen. internal sealed class SendingContentNotificationHandler()
: INotificationHandler<SendingContentNotification>
{
public void Handle(SendingContentNotification notification)
{
if (notification.Content.ContentTypeAlias.Equals(Website.ModelTypeAlias))
{
foreach (ContentVariantDisplay variant in notification.Content.Variants)
{
//exclude 'groupToHideAlias' tab/group which contains a blocklist editor
variant.Tabs = variant.Tabs.Where(x => !x.Alias.InvariantEquals("groupToHideAlias"));
}
}
if (notification.Content.ContentTypeAlias.Equals(ContentPage.ModelTypeAlias))
{
foreach (ContentVariantDisplay variant in notification.Content.Variants)
{
//making all editors on tabs readonly except 'Generic' tab
foreach (Tab<ContentPropertyDisplay> tab in variant.Tabs.Where(t => t.Type == "Tab"))
{
foreach (ContentPropertyDisplay prop in tab.Properties ?? [])
{
prop.Readonly = true;
}
}
}
}
}
} |
Hey @kows I had a look and was able to reproduce this with the following simplified NotificationHandler using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Core.Events;
using Umbraco.Cms.Core.Models.ContentEditing;
using Umbraco.Cms.Core.Notifications;
namespace Umbraco.Cms.Web.UI.App_Data;
public class issue16288 : IComposer
{
public void Compose(IUmbracoBuilder builder)
{
builder.AddNotificationHandler<SendingContentNotification, ReadOnlyBlockSendingNotificationHandler>();
}
}
public class ReadOnlyBlockSendingNotificationHandler : INotificationHandler<SendingContentNotification>
{
public void Handle(SendingContentNotification notification)
{
ContentPropertyDisplay? property =
notification.Content.Variants
.SelectMany(v => v.Tabs)
.SelectMany(t => t.Properties ?? [])
.FirstOrDefault(p => p.Alias == "blocklist");
if (property is not null && property.SupportsReadOnly)
{
property.Readonly = true;
}
}
} Looking at the code that processes property updates, we have some code in place that checks whether a property editor is marked as read-only. When you however mark the property as read-only/remove it from the outbound model, the client does not send any property data back for those properties while the property editor expects there to be a value. In short: We do not expect you to change that value. The reason why this works for other editors and not this one is complex. Because the system was not purposefully designed to handle this kind of manipulation, I am going to close this bug report. Feel free to open a discussion to express the use case where you would need this kind of functionality. |
@Migaroez EDIT: this was no issue in older versions with Nested Content. |
I do not deem setting an outbound (display) model flag as a way of enforcing security To make something truly secure (in an editing context), you need to control the inbound flow, and the outbound just to be friendly. If you only control the outbound, you end up with security by obscurity as shown in the video below. To save time I used the package you linked with 2 users. But it should (and I am pretty sure it will) work the same with marking it read-only as I tested the client's behaviour regarding payload construction previously. 16288_obscurity.mp4With I can only guess as I was not a core developer at the time, but I believe the intent was that if you were to change anything or all things on an outbound model, you would make sure it wouldn't brake things when the client then send it back. And I am pretty sure that there was no clear intent to allow this feature to support implementers make things "more secure" (as per previous statement and example) |
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
13.3.0
Bug summary
When trying to save or save and publish I get an error modal.
Specifics
Received an error from the server
An error occurred
Unexpected character encountered while parsing value: U. Path '', line 0, position 0.
Steps to reproduce
There are actually two flows in which this occurs.
Setup:
a) mark the block list property as readonly
or b) remove the block list property from the tab.Properties to "hide" it
With this setup, if you try to save or save and publish, it is actually trying to process
Umbraco.Blocklist
as value iso the actual data.Expected result / actual result
A readonly/hidden block list editor does not block save / save and publish.
The text was updated successfully, but these errors were encountered: