Fix for #18642 - user/selfedit policy does not work without at least one content/edit and content/create policy #125
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… one content/edit and content/create policy
|
And ofcourse, the following SQL is needed when upgrading: UPDATE ezpolicy SET module_name = 'content' WHERE module_name = 'user' AND function_name = 'selfedit'; |
|
-1 from me, we intend to move user out of content at some point, so then this move would just cause more work. |
|
(Without looking at the code) I would also prefer to keep user editing outside of content, and trying to fix it (the fact that content/edit is required for user/selfedit) some other way |
|
The only way I see is in eZUser->hasAccessToView method around eval() function call. It would be a dirty hack, for example, if module is "content" and view is "edit" then if eval() call returns false and user has access to user/selfedit, set it to true. |
peterkeung
pushed a commit
to peterkeung/ezpublish
that referenced
this pull request
Dec 14, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a fix for issue #18642 at http://issues.ez.no/IssueView.php?Id=18642&activeItem=1
Since user/selfedit is not in the content module, access to self editing is denied early in the index.php, because existing access function expression when self editing is only "(edit or create)". And when both of those are missing from policy list, user cannot edit himself.
I propose moving selfedit function from user module to content module which will allow for access function expression to be "(edit or create or selfedit)" thus allowing the module to run, and later relying on ($obj->canEdit()) to return a valid value based on match of current user ID and object ID to be edited.
If you think this is a welcome change, another pull request needs to be added to ezflow so new installs can create content/selfedit policies instead of user/selfedit.