Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inaccessible Submodule tiles are not hidden #2854

bwaidelich opened this issue Jan 6, 2020 · 1 comment

Inaccessible Submodule tiles are not hidden #2854

bwaidelich opened this issue Jan 6, 2020 · 1 comment


Copy link

@bwaidelich bwaidelich commented Jan 6, 2020


When a role has access to some sub module, all sub modules of the given main module are shown in the module overview.
Note: Access to the other sub modules is still prohibited, so this is merely a cosmetic bug

Steps to Reproduce

  1. Create Neos user with Editor roll
  2. Grant the Editor role access to some admin modules via Policy.yaml:
        privilegeTarget: 'Neos.Neos:Backend.Module.Administration'
        permission: GRANT
        privilegeTarget: 'Neos.Neos:Backend.Module.Administration.Sites'
        permission: GRANT
  1. Login with the Editor user and navigate to /neos/administration

Expected behavior

Only the granted sub module should be visible

[What you expected to happen]

Actual behavior

All Administration sub modules are visible (and lead to an 403 exception when accessed):

[What actually happened]

Affected Versions

Neos: 4.3

@bwaidelich bwaidelich self-assigned this Jan 6, 2020

This comment has been minimized.

Copy link
Member Author

@bwaidelich bwaidelich commented Jan 6, 2020

The reason for the sub modules to appear is the part

<f:if condition="{submoduleConfiguration.privilegeTarget}">
        <f:security.ifAccess privilegeTarget="{submoduleConfiguration.privilegeTarget}">

in the SubmoduleOverview partial that no longer works when using ModulePrivileges

bwaidelich added a commit to bwaidelich/neos-development-collection that referenced this issue Jan 6, 2020
Adds a ViewHelper `ifModuleAccessible` that allows to evaluate whether a
given (sub) module is accessible to the currently authenticated user and
uses that ViewHelper in the SubmoduleOverview partial in order to hide
inaccessible modules from the module overview.


With neos#964 the `module.<submodule>.privilegeTarget` configuration became
deprecated in favor of `ModulePrivilege`s but the partial only checked
the "privilegeTarget" configuration.

Note: This is just a quick fix for the bug. In the long run we should
rewrite the whole backend module logic in order to move such crucial
conditions from the view to the domain layer.

Fixes: neos#2854
@bwaidelich bwaidelich removed their assignment Jan 6, 2020
@bwaidelich bwaidelich closed this Jan 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.