Problem with permissions for contents in different locales

[afroewis]

Q	A
Bug?	yes
New Feature?	no
Sulu Version	1.4.2

Actual Behavior

Set up

Tested this with a fresh clone of sulu-minimal.

I create 2 user roles:

1. Read (User has view/read permissions for contents)
2. Write (User can create/edit contents)

I create 2 Users:

1. User_EN
2. User_DE

User_EN has Read permission in DE & EN and Write permission in EN.
User_DE has Read permission in DE & EN and Write permission in DE.

What I want to do

1. User_EN creates a page in en locale
2. User_DE sees the ghost page from en locale in the de locale
3. User_DE hovers on the ghost page and clicks on "create"
4. User_DE wants to create a copy of the page from en
5. Error: Operation forbidden The available permissions are not sufficient for this operation

Why can't User_DE create a copy of the shadow page?

Expected Behavior

User_DE can create a copy of the shadow page from en.

[danrot]

Found the problem here... The request which is sent looks like this: http://sulu-test.lo/admin/api/nodes/42062b8e-afa2-4c6a-b14e-378b4364a516?webspace=sulu_io&language=en&dest=de&action=copy-locale. The language parameter here describes from where the content is read, and the dest parameter describes where it is written. But our listener always uses the language parameter for checking the security, which is the reason why this does not work.

There are basically three possibilities:

1. Change the API to use the language parameter for the language which is being written and introduce a new source parameter instead. This is a BC break and we would have to send multiple requests in case multiple destination locales are chosen.
2. We do not use the Listener with the NodeController at all and implement the security checks in all actions on our own.
3. We adjust the getLocale method of the SecuredControllerInterface to pass a Request object, so that we can check based on the request what to return. Then we could return null and handle only this specific action special. That's also a BC break, would consider it even a bigger one than point 1.

[danrot]

@chirimoya @wachterjohannes What do you think? I think I'd be in favor of variant 1.

[wachterjohannes]

i would prefer 3. which could also return multiple locales. which would be possible without bc-breaks. only thing which have to be care that sometimes came a single string and sometimes an array of strings.

[ollietb]

I think I'm also getting this error - when I try to copy content from a locale using the dropdown at the top of the page I get the Exception Attempted to call an undefined method named "getPublished" of class "Sulu\Component\DocumentManager\Document\UnknownDocument"
The request url is http://cms.localhost/admin/api/nodes/1155029f-8784-4e58-af16-cbbcfa7f4984?action=copy-locale&dest=pt&language=en&webspace=eventstag

Also, I'm not sure whether it's the same issue but there are 2 values in the locale list which are not in my webspace settings - de and de_at

[danrot]

@ollietb I think you have a different problem here... In this dropdown you should only get languages which are available on the node. Can you check that page in the PHPCR shell and see if there are some properties with the prefix of these languages? Maybe they were created before you deleted the languages from your webspace.

[ollietb]

@danrot ill create a new issue