Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21438

Improve relation permission handling to use view_embed

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: High High
    • Resolution: Fixed
    • Affects Version/s: 4.7.0, 5.0 Maintenance, 5.1 Maintenance, 5.2-dev
    • Fix Version/s: Customer request, 4.7.0, 5.2-rc1, 5.3
    • Component/s: Permissions
    • Labels:
      None

      Description

      With the introduction security fix to not show relations, it is now required to make Media library readable.
      However it should instead use view_embed like done in xmltext field type, see:

      if ( $object->attribute( 'can_read' ) ||
           $object->attribute( 'can_view_embed' ) )
      {
          $templateName = $element->nodeName . $tplSuffix;
      }
      else
      {
          $templateName = $element->nodeName . '_denied';
      }
      

        Issue Links

          Activity

          Show
          Jérôme Vieilledent (Inactive) added a comment - - edited Fixed in legacy master: https://github.com/ezsystems/ezpublish-legacy/commit/877555fd9e032abb7a4878b8a03a522a5c54dec9
          Hide
          Joao Pingo (Inactive) added a comment - - edited

          @hi
          I'm getting some strange results on this issue, i've done 2 tests based on this and the original issue:

          1st Test:

          1. Created a ezdemo installation
          2. Created a class with object relation datatype and a xml block
          3. Create 3 objects in Media Library
            1. Image inside Images Folder
            2. File inside File Folder
            3. Video inside Multimedia Folder
          4. Created 3 objects, each one with an object relation to one of the created object
          5. In the Image object added the same image as an embed object in xml_block
          6. Checked the results in fronted

          With the patch: "No Relation" message is shown in all the objects logged as admin and as anonymous
          Without the patch: The relation and the embed image are always present as admin and as anonymous

          2nd Test

          1. Created a ezdemo installation
          2. Created a class with object relations datatype and a xml block
          3. Create 3 objects in Media Library
            1. Image inside Images Folder
            2. File inside File Folder
            3. Video inside Multimedia Folder
          4. Created 1 object and add the 3 created media objects as relations
          5. Added the Image object as embed in xml_block
          6. Checked the results in fronted

          With Patch:

          • As anonymous all of the related objects and embed object are present, but the video does not playback ( possibly due to issue https://jira.ez.no/browse/EZP-21602 )
          • As admin: every related object is present but and playback works

          Without patch:

          • As anonymous the video is not present but the other objects (Image, File and embed image) are available
          • As admin all objects in relations are present
          Show
          Joao Pingo (Inactive) added a comment - - edited @hi I'm getting some strange results on this issue, i've done 2 tests based on this and the original issue: 1st Test: Created a ezdemo installation Created a class with object relation datatype and a xml block Create 3 objects in Media Library Image inside Images Folder File inside File Folder Video inside Multimedia Folder Created 3 objects, each one with an object relation to one of the created object In the Image object added the same image as an embed object in xml_block Checked the results in fronted With the patch: "No Relation" message is shown in all the objects logged as admin and as anonymous Without the patch: The relation and the embed image are always present as admin and as anonymous 2nd Test Created a ezdemo installation Created a class with object relations datatype and a xml block Create 3 objects in Media Library Image inside Images Folder File inside File Folder Video inside Multimedia Folder Created 1 object and add the 3 created media objects as relations Added the Image object as embed in xml_block Checked the results in fronted With Patch: As anonymous all of the related objects and embed object are present, but the video does not playback ( possibly due to issue https://jira.ez.no/browse/EZP-21602 ) As admin: every related object is present but and playback works Without patch: As anonymous the video is not present but the other objects (Image, File and embed image) are available As admin all objects in relations are present
          Show
          Petar Spanja (Inactive) added a comment - - edited Pull request https://github.com/ezsystems/ezpublish-kernel/pull/490 merged in ezpublish-kernel/master: https://github.com/ezsystems/ezpublish-kernel/commit/0eadd3a75bf4e3e611b7d5625f09ee74257af458
          Hide
          Łukasz Serwatka added a comment - - edited

          It was a request coming from sales who did couple demos in front of customers and they did get "You don't have permissions to view this content" for anon user for embed content inside eZ XML block for content object such as binary file, video, image, etc. That error was plain stupid for end user as we should support possibility to have embed content for example a brochure (binary file).

          Show
          Łukasz Serwatka added a comment - - edited It was a request coming from sales who did couple demos in front of customers and they did get "You don't have permissions to view this content" for anon user for embed content inside eZ XML block for content object such as binary file, video, image, etc. That error was plain stupid for end user as we should support possibility to have embed content for example a brochure (binary file).
          Hide
          Petar Spanja (Inactive) added a comment -

          Additional PR fixing checking view_embed in XMLText converter:

          https://github.com/ezsystems/ezpublish-kernel/pull/644

          Show
          Petar Spanja (Inactive) added a comment - Additional PR fixing checking view_embed in XMLText converter: https://github.com/ezsystems/ezpublish-kernel/pull/644
          Hide
          Petar Spanja (Inactive) added a comment -

          Additional PR fixing checking view_embed in XMLText converter merged in ezpublish-kernel/master:

          https://github.com/ezsystems/ezpublish-kernel/commit/cd049d5a0985983881de8c5f0a27b84a90eaaf87

          Show
          Petar Spanja (Inactive) added a comment - Additional PR fixing checking view_embed in XMLText converter merged in ezpublish-kernel/master: https://github.com/ezsystems/ezpublish-kernel/commit/cd049d5a0985983881de8c5f0a27b84a90eaaf87
          Hide
          Pedro Resende (Inactive) added a comment -

          Tested and approved by Q.A. on 4.7, 5.2 and master (5.3)

          Show
          Pedro Resende (Inactive) added a comment - Tested and approved by Q.A. on 4.7, 5.2 and master (5.3)
          Hide
          Georg Franz added a comment -

          Hi,

          I've tested the patch, so is this the intended behavior?

          I upload an image (class image).

          I create an article and embed the image. The image is shown.

          Afterwards, I hide the image, the image isn't shown at the article.

          "Hidden" means probably something different as "not readable"?

          Best wishes,
          Georg.

          Show
          Georg Franz added a comment - Hi, I've tested the patch, so is this the intended behavior? I upload an image (class image). I create an article and embed the image. The image is shown. Afterwards, I hide the image, the image isn't shown at the article. "Hidden" means probably something different as "not readable"? Best wishes, Georg.
          Hide
          Joao Pingo (Inactive) added a comment -

          QA Approved
          Note: For this patch to fully work it is need to fix the anonymous user permissions as found in https://jira.ez.no/browse/EZP-22028

          Show
          Joao Pingo (Inactive) added a comment - QA Approved Note: For this patch to fully work it is need to fix the anonymous user permissions as found in https://jira.ez.no/browse/EZP-22028

            People

            • Assignee:
              Unassigned
              Reporter:
              André Rømcke
            • Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week, 7 hours, 50 minutes
                1w 7h 50m