Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inaccessible Submodule tiles are not hidden #2854

Closed
bwaidelich opened this issue Jan 6, 2020 · 1 comment
Closed

Inaccessible Submodule tiles are not hidden #2854

bwaidelich opened this issue Jan 6, 2020 · 1 comment
Labels

Comments

@bwaidelich
Copy link
Member

@bwaidelich bwaidelich commented Jan 6, 2020

Description

When a role has access to some sub module, all sub modules of the given main module are shown in the module overview.
Note: Access to the other sub modules is still prohibited, so this is merely a cosmetic bug

Steps to Reproduce

  1. Create Neos user with Editor roll
  2. Grant the Editor role access to some admin modules via Policy.yaml:
roles:
  'Neos.Neos:Editor':
    privileges:
      -
        privilegeTarget: 'Neos.Neos:Backend.Module.Administration'
        permission: GRANT
      -
        privilegeTarget: 'Neos.Neos:Backend.Module.Administration.Sites'
        permission: GRANT
  1. Login with the Editor user and navigate to /neos/administration

Expected behavior

Only the granted sub module should be visible

[What you expected to happen]
image

Actual behavior

All Administration sub modules are visible (and lead to an 403 exception when accessed):

[What actually happened]
image

Affected Versions

Neos: 4.3

@bwaidelich bwaidelich self-assigned this Jan 6, 2020
@bwaidelich

This comment has been minimized.

Copy link
Member Author

@bwaidelich bwaidelich commented Jan 6, 2020

The reason for the sub modules to appear is the part

<f:if condition="{submoduleConfiguration.privilegeTarget}">
    <f:then>
        <f:security.ifAccess privilegeTarget="{submoduleConfiguration.privilegeTarget}">

in the SubmoduleOverview partial that no longer works when using ModulePrivileges

bwaidelich added a commit to bwaidelich/neos-development-collection that referenced this issue Jan 6, 2020
Adds a ViewHelper `ifModuleAccessible` that allows to evaluate whether a
given (sub) module is accessible to the currently authenticated user and
uses that ViewHelper in the SubmoduleOverview partial in order to hide
inaccessible modules from the module overview.

Background:

With neos#964 the `module.<submodule>.privilegeTarget` configuration became
deprecated in favor of `ModulePrivilege`s but the partial only checked
the "privilegeTarget" configuration.

Note: This is just a quick fix for the bug. In the long run we should
rewrite the whole backend module logic in order to move such crucial
conditions from the view to the domain layer.

Fixes: neos#2854
@bwaidelich bwaidelich removed their assignment Jan 6, 2020
@bwaidelich bwaidelich closed this Jan 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.