Magnolia 6.2.41 known issues
Endless redirect loop due to incorrect URL encoding
If a redirect URL is used after a login, the protocol portion of the URL is wrongly encoded (from http://
to http%3A//
), which generates an endless redirect loop.
This happens because the redirection scheme doesn’t take into account absolute URLs.
A workaround solution is to ignore compressing the redirect URL by bypassing the GZip filter.
Users whose names contain .
can’t log in
After upgrading to 6.2.41, there is an issue where users with usernames containing the .
character can’t log in.
This issue especially affects customers who use emails as usernames, as these frequently contain .
.
An error similar to this is thrown instead:
ERROR info.magnolia.cms.security.JCRSessionOp 18.12.2023 10:14:24 -- Failed to execute info.magnolia.cms.security.RepositoryBackedSecurityManager$3@36581e97 session operation with Unclosed group near index 28
(\Q/admin/magnolia)\.test\E
The issue is caused by MAGNOLIA-9191 and is addressed in MAGNOLIA-9233. We aim to resolve this issue with the release of Magnolia CMS 6.2.42, planned soon. For the next release date, see Releases.
SSO impact
This issue doesn’t concern customers using the SSO module, because SSO doesn’t store usernames in JCR.
However, the Magnolia Services sso-connector
may be affected.
Workaround
To bypass this issue, create a Groovy script that reverts the application of the problematic quoting from the ACL paths for each user. For example, the script below removes quoting from the ACL paths for each user (\Q and \E).
We recommend you:
|
import info.magnolia.jcr.predicate.NodeTypePredicate;
session = ctx.getJCRSession('users')
users = NodeUtil.collectAllChildren(session.getRootNode(), new NodeTypePredicate("mgnl:user"))
users.each { user ->
node = NodeUtil.unwrap(user)
aclNode = node.getNode("acl_users")
pathNodes = NodeUtil.collectAllChildren(aclNode)
pathNodes.each{pathNode ->
path = pathNode.getProperty("path").getValue().getString()
newPath = path.replace("\\Q","")
newPath = newPath.replace("\\E","")
pathNode.setProperty("path", newPath)
}
}
session.save()
Duplicate Security app in modern App Launcher layout
We migrated the Security app to the Magnolia 6 UI framework in SECURITY-64. For those using the classic App Launcher layout, the new Security app does not appear by default. However, those using the modern App Launcher layout, see the new Security app as a duplicate under the "Custom" grouping.
To remove this duplicate Security app from your App Launcher:
-
Go to any light module.
-
Add the following decoration for AdminCentral.
<light-modules>/<module>/decorations/admincentral/config.yaml
layout: hiddenApps: security: security-app (1)
1 security-app
represents the new Security app.