Sensitive member data fields cannot be edited and are presented empty, but are still visible and apparently editable by the user

[LennardF1989]

Which Umbraco version are you using?

16.0.0

Bug summary

I was testing something for #16329 and wanted to check how the backoffice now handles sending back member data even though a property might be sensitive. I had hoped to find that the property would be leaked in the API response, then hidden by the UI to make a point of how backwards the current approach with conditions would be.

Instead, I found this not implemented yet, at all. There is some logic in the backend the detect something is sensitive data, but at no point is the data filtered out if the logged in user has no access to sensitive data.

Specifics

No response

Steps to reproduce

1. Change default member type and set the Comment field as sensitive.
2. Create a member, type something in the Comment field and save.
3. Switch to a user without the "Sensitive data" user group (I have even tested anything non-administrator)
4. Go to the member
5. Comment field shows up as per normal.

Expected result / actual result

The comment field is hidden, since it's tagged as sensitive and the current user has no right to view sensitive data.

On top of that, the sensitive data shouldn't even be in the response of the API endpoint!

---

This item has been added to our backlog AB#54282

[github-actions]

Hi there @LennardF1989!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[lauraneto]

Hi @LennardF1989,

I am unable to reproduce the issue.
As a user with no access to sensitive data, I do still see the field umbracoMemberComments, but it is empty (no data is leaked in both the UI and API), and if you try to set a value it will give you an error.

Admin

User (with no sensitive data access)

[LennardF1989]

I can confirm the data is not visible, I think I somehow was looking at a cached browser value.

I would however expect the property itself to also not be visible. And/or make it very clear to the backoffice user this field is readonly (grayed out) or sensitive and therefor not editable.

[AndyButland]

Agreed @LennardF1989, thanks for reporting and pointing out. This is fixed now via #19857 for 16.2.