Public access broken when assinging to member with '+' character in login #15723
Description
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
13.1.0
Bug summary
When restricting public access to a specific member, bad data is persisted if the member's login contains a '+' character. It is not uncommon for mail providers to support aliasing multiple addresses to one mailbox using this character.
Specifics
When making the request to the backoffice public access controller, it looks like member logins are sent in a query string parameter, which is not URL encoded.
On hitting the save button, a POST is sent to https://localhost:44303/umbraco/backoffice/umbracoapi/publicaccess/PostPublicAccess?contentId=1075&loginPageId=1075&errorPageId=1075&usernames[]=jmf+directaccess@umbraco.dk. Note the '+' character in the email.
But to the controller receiving it, this login is interpreted as jmf directaccess@umbraco.dk.
I have not yet tested whether affected members are able to browse to the selected content nodes via SSR or the delivery API, but my best guess is that they cannot.
Steps to reproduce
- Create a member with a + character in the login
- Hit "Restrict Public Access..." on a content node
- Select "Specific member protection" and choose the member created above
- Hit the save button
Expected result / actual result
Actual Result
- The public access rule is persisted in SQL with a space character instead of a '+'
- The
RuleValuefield in any triggeredPublicAccessEntrySavedNotification's rules contains a space character instead of a '+' - Subsequently selecting "Restrict Public Access..." on the same content node shows as though no rules are configured, see following:
Expected Result
- In both places above, the member's login name contains a '+' character instead of a space
- When selecting "Restrict Public Access..." on the same content node again, the selected member rule is shown, like the following:
This item has been added to our backlog AB#48803