Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-25789

Editors access to own user and read all user meta info for author field type

    Details

    • Type: Story Story
    • Status: Backlog
    • Priority: High High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      Current policies setup does not allow users from Editors user group to edit content. User does not have access to REST endpoint http://ezs.dev/api/ezp/v2/user/users/14 - 401 (Unauthorized)

      There is two issues:

      • new user menu in platform needs to load "self" to display your user name
      • author field type loads assigned user to display name (and probably also email)

      However editor does not always have access to this, and in legacy you did not have to as this was just fetched in templates and did not go over API which checks permissions.

        Issue Links

          Activity

          Hide
          André Rømcke added a comment - - edited

          Issue affects both eZ Platform (clean and demo), and eZ Studio, workaround is to add a new role assigned (un limited) to editor group with policy `content/read Class(User)`.

          However there are a few other changes that will be needed on Editor Role as well here to get it working as intended with new stack (short: new stack is more strict, so roles needs to be more precise).

          Show
          André Rømcke added a comment - - edited Issue affects both eZ Platform (clean and demo), and eZ Studio, workaround is to add a new role assigned ( un limited) to editor group with policy `content/read Class(User)`. However there are a few other changes that will be needed on Editor Role as well here to get it working as intended with new stack (short: new stack is more strict, so roles needs to be more precise) .
          Hide
          Rui Silva added a comment -

          QA confirms it also occurs on ezplatform.

          Show
          Rui Silva added a comment - QA confirms it also occurs on ezplatform.
          Hide
          André Rømcke added a comment -

          Open PR's:

          However this is potentially wrong approach, there was a discussion on this somewhere (duplicate issue?), and outcome was that we potentially need to add some permission and REST entry point to load meta info about users. TBD.

          Show
          André Rømcke added a comment - Open PR's: https://github.com/ezsystems/ezplatform-demo/pull/13 https://github.com/ezsystems/ezpublish-kernel/pull/1600 However this is potentially wrong approach, there was a discussion on this somewhere (duplicate issue?) , and outcome was that we potentially need to add some permission and REST entry point to load meta info about users. TBD.

            People

            • Assignee:
              Unassigned
              Reporter:
              Łukasz Serwatka
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: