EZP-29539: Deleting object will remove all subtree items even when user does not have permission to delete them #2536
Conversation
pawbuj
requested review from
andrerom,
alongosz,
adamwojs,
micszo,
mikadamczyk,
Nattfarinn,
ViniTou and
webhdx
| $this->settings = $settings + array( | ||
| //'defaultSetting' => array(), | ||
| ); | ||
| $this->settings = $settings + array(//'defaultSetting' => array(), |
There was a problem hiding this comment.
| $this->settings = $settings + array(//'defaultSetting' => array(), | |
| $this->settings = $settings; |
| @@ -294,7 +301,8 @@ public function findTrashItems(Query $query) | |||
|
|
|||
| foreach ($query->sortClauses as $sortClause) { | |||
| if (!$sortClause instanceof SortClause) { | |||
| throw new InvalidArgumentValue('query->sortClauses', 'only instances of SortClause class are allowed'); | |||
| throw new InvalidArgumentValue('query->sortClauses', | |||
There was a problem hiding this comment.
Actually, such changes shouldn't be in PR until they are necessary to fix a bug 😉
|
|
||
| $contentRemoveCriterion = $this->permissionCriterionResolver->getPermissionsCriterion('content', 'remove'); | ||
|
|
||
| if ($contentRemoveCriterion === false) { |
There was a problem hiding this comment.
maybe
| if ($contentRemoveCriterion === false) { | |
| if (is_bool($contentRemoveCriterion)) { | |
| return $contentRemoveCriterion; | |
| } | |
?
| @@ -63,15 +69,16 @@ public function __construct( | |||
| RepositoryInterface $repository, | |||
| Handler $handler, | |||
| Helper\NameSchemaService $nameSchemaService, | |||
| array $settings = array() | |||
| array $settings = array(), | |||
| PermissionCriterionResolver $permissionCriterionResolver | |||
There was a problem hiding this comment.
There is no BC promise for constructors so please move $permissionCriterionResolver before $settings
| @@ -12,6 +12,8 @@ | |||
| use eZ\Publish\API\Repository\Repository as RepositoryInterface; | |||
| use eZ\Publish\API\Repository\Values\Content\Content; | |||
| use eZ\Publish\API\Repository\Exceptions\UnauthorizedException as APIUnauthorizedException; | |||
| use eZ\Publish\Core\REST\Client\Values\Content\ContentInfo; | |||
There was a problem hiding this comment.
| use eZ\Publish\Core\REST\Client\Values\Content\ContentInfo; |
| return false; | ||
| } | ||
|
|
||
| $contentRemoveCriterion = $this->permissionCriterionResolver->getPermissionsCriterion('content', 'remove'); |
There was a problem hiding this comment.
Is there any scenario that this can return true?
There was a problem hiding this comment.
according to docs, yes
There was a problem hiding this comment.
And that was my point ;)
pawbuj
force-pushed
the
EZP-29539
branch
3 times, most recently
from
d17ca05 to
eee0379
Compare
| @@ -23,6 +24,10 @@ | |||
| use eZ\Publish\API\Repository\Values\Content\Trash\SearchResult; | |||
| use eZ\Publish\API\Repository\Values\Content\Query\Criterion; | |||
| use eZ\Publish\API\Repository\Values\Content\Query\SortClause; | |||
| use eZ\Publish\API\Repository\PermissionCriterionResolver; | |||
| use eZ\Publish\API\Repository\Values\Content\Query\Criterion\LogicalAnd as CriterionLogicalAnd; | |||
There was a problem hiding this comment.
| use eZ\Publish\API\Repository\Values\Content\Query\Criterion\LogicalAnd as CriterionLogicalAnd; | |
| use eZ\Publish\API\Repository\Values\Content\Query\Criterion; |
in many places in the kernel it is used like this
ViniTou
changed the title
|
@barbaragr @pawbuj what is the status here? |
|
@lserwatka as Andre said: |
|
@andrerom but does it really make sense to back-port it to 1.7? 1.x is in SPA architecture, with zero permissions check, this might require work on frontend side to handle those exceptions properly. I don't see any benefit here especially that report was related to 2.x only. |
|
@lserwatka The way I read this it's a kernel bug affecting all use of the application, api's and UI, it can also be argued to be security issue. Did QA uncover any major 1.x UI issues happening with this? I would assume that is more in regards to how we handle this in REST API which is maybe anyway a todo here on this PR(?) |
This comment has been minimized.
This comment has been minimized.
pawbuj
force-pushed
the
EZP-29539
branch
2 times, most recently
from
f3f2a69 to
63f3721
Compare
…er does not have permission to delete them
|
Could you merge it up? |
|
Retest OK on eZ Platform EE v1.13.4. |
|
merged |
7.2Checking permission to remove content for all elements in the subtree.
TODO:
$ composer fix-cs).