Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-22775

[API] Permissions should handle missing limitations better

    Details

    • Sprint:
      Castor Core S1, Castor Core S2

      Description

      Steps to reproduce the issue:
      • make sure http cache is enabled ( "SetEnv USE_HTTP_CACHE 1" on virtualhost config )
      • create an obj state group, with at least a couple of states
      • create a role
      • give it a policy of state/assign, with a limitation on the new state
      • assign that role to admin
      • go to backoffice
      Result:

      An exception will be thrown:

      NotFoundException: Could not find 'Limitation' with identifier 'NewState'
      

      Notes:

      On last step you'll get exception because permission system loads all roles, problem is that NewState policyLimitationType is not implemented and admin user is loaded by userhash generator funnily enough things work if you assign the same role to another user, and use it to login.

      Proposed behavior change:

      • introduce optional logging for missing limitations
      • if not provided throw like today, if provided log instead and threat as "no access" so it basically continues to next assignment and threats the "current one" as "saying no"
      • setup prod to log by default

        Issue Links

          Activity

          Hide
          Gaetano Giunta (Inactive) added a comment -

          note: needs http cache on to manifest itself

          Show
          Gaetano Giunta (Inactive) added a comment - note: needs http cache on to manifest itself
          Hide
          Gaetano Giunta (Inactive) added a comment -

          side note: affects extensions: ezjscore, ggwebservices

          Show
          Gaetano Giunta (Inactive) added a comment - side note: affects extensions: ezjscore, ggwebservices
          Hide
          André Rømcke added a comment -

          Moved issue back to bug type. Testing by reporters needed for proposed patch as I don't have full stack trace for the related issues.

          PR: https://github.com/ezsystems/ezpublish-kernel/pull/851

          Show
          André Rømcke added a comment - Moved issue back to bug type. Testing by reporters needed for proposed patch as I don't have full stack trace for the related issues. PR: https://github.com/ezsystems/ezpublish-kernel/pull/851
          Show
          André Rømcke added a comment - Fixed in 5.3 https://github.com/ezsystems/ezpublish-kernel/commit/a892ae9003d1f193535b7acd059d90e399d50435
          Show
          André Rømcke added a comment - New PR: https://github.com/ezsystems/ezpublish-kernel/pull/899
          Hide
          André Rømcke added a comment - - edited

          Merged in https://github.com/ezsystems/ezpublish-kernel/commit/44a9d70e13e09344178ac173c65110e0c0ce72fd

          New behavior: LimitationNotFoundException is thrown with some instructions on how to resolve the issue. The issue has already been solved for FunctionList ezjscore limitation with this patch, NewState handled in related issue.

          Update: additional commit to change exception to not extend NotFound as it can cause code that relies on this for missing entities to fail: https://github.com/ezsystems/ezpublish-kernel/commit/db6e36db74a7d793f512de04f687c37a82d1fa01

          Show
          André Rømcke added a comment - - edited Merged in https://github.com/ezsystems/ezpublish-kernel/commit/44a9d70e13e09344178ac173c65110e0c0ce72fd New behavior: LimitationNotFoundException is thrown with some instructions on how to resolve the issue. The issue has already been solved for FunctionList ezjscore limitation with this patch, NewState handled in related issue. Update: additional commit to change exception to not extend NotFound as it can cause code that relies on this for missing entities to fail: https://github.com/ezsystems/ezpublish-kernel/commit/db6e36db74a7d793f512de04f687c37a82d1fa01
          Show
          André Rømcke added a comment - Doc added: https://doc.ez.no/display/EZP/Limitations+reference https://doc.ez.no/display/EZP/BlockingLimitation
          Hide
          Pedro Resende (Inactive) added a comment -

          Tested and approved by Q.A.

          Show
          Pedro Resende (Inactive) added a comment - Tested and approved by Q.A.

            People

            • Assignee:
              Unassigned
              Reporter:
              Gaetano Giunta (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 4 hours, 30 minutes
                1d 4h 30m

                  Agile