Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBX-8426: Fixed duplicate relations #390

Merged
merged 10 commits into from
Jul 15, 2024
Merged

Conversation

reithor
Copy link
Contributor

@reithor reithor commented Jun 21, 2024

🎫 Issue IBX-8426

Description:

PR adds a "permission switch" to internalLoadRelations().

maintainer update: changed to use sudo as all of them are needed for the update process, see review notes.

Background:
When a user changes Content with related Content without having read permission to the related Content, existing relations are duplicated in ezcontentobject_link table.

https://github.com/ibexa/core/blob/4.6/src/lib/Repository/ContentService.php#L1432

$this->relationProcessor->processFieldRelations(
          $inputRelations,
          $spiContent->versionInfo->contentInfo->id,
          $spiContent->versionInfo->versionNo,
          $contentType,
          $existingRelations
      );
  • processFieldRelations() adds all relations from $inputRelations that do not alreaday exist in $existingRelations.
  • $existingRelations are load from internalLoadRelations() - skipping non-readable Content
 protected function internalLoadRelations(APIVersionInfo $versionInfo): array
 {
        ..
        /** @var $relations \Ibexa\Contracts\Core\Repository\Values\Content\Relation[] */
        $relations = [];
        foreach ($spiRelations as $spiRelation) {
            $destinationContentInfo = $this->internalLoadContentInfoById($spiRelation->destinationContentId);
            if (!$this->permissionResolver->canUser('content', 'read', $destinationContentInfo)) {
                continue;
            }
         }
        ..
}

@reithor reithor changed the base branch from main to 4.6 June 21, 2024 09:40
@reithor reithor marked this pull request as ready for review June 21, 2024 10:54
@reithor reithor requested a review from a team June 21, 2024 10:55
@webhdx webhdx requested a review from alongosz June 24, 2024 10:16
@reithor
Copy link
Contributor Author

reithor commented Jun 25, 2024

@alongosz
I found 2 related issues:

  1. APP_ENV=prod:
    Message for non-accessible relations when editing the Content Object is:
    The content item or its location is hidden. It will no longer be publicly available.
    should be
    You don't have permissions to view this Content item (contentID: ..).

  2. APP_ENV=dev:
    RuntimeError is thrown when editing the Content

Twig\Error\RuntimeError:
Impossible to access an attribute ("mainLocationId") on a null variable.

  at vendor/ibexa/admin-ui/src/bundle/Resources/views/themes/admin/ui/field_type/edit/relation_base.html.twig:105

Copy link
Member

@alongosz alongosz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing here integration test coverage (not a unit one) reproducing the use case from the JIRA ticket on API.

That would help me determining if the fix is done in a proper way and will make it future-proof when other changes gets applied.

@reithor
Copy link
Contributor Author

reithor commented Jun 28, 2024

I'm missing here integration test coverage (not a unit one) reproducing the use case from the JIRA ticket on API.

thanks @alongosz - will try to get this done - and ping you when I have questions.

@reithor reithor requested a review from alongosz June 29, 2024 08:57
@reithor
Copy link
Contributor Author

reithor commented Jun 29, 2024

I'm missing here integration test coverage

@alongosz : integration test has been added

@reithor reithor force-pushed the ibx-8426_fixed-duplicate-relations branch 3 times, most recently from 781b113 to d8fdddb Compare June 30, 2024 11:20
Copy link
Member

@alongosz alongosz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the test case, after debugging it I see what's the root cause here. Seems we either:

  • have a missing feature when loading a $content item by internalLoadContentById - RelationList field should never load on API level an item which user has no permissions to access - might be difficult to implement on the relevant layer level though,
  • are updating relations based on too heavy objects - this can negatively impact performance - if we don't touch relation field in an update, it should not be updated at all

both of these things however are too complex to mitigate them via this issue. I have another suggestion as a quick fix for our faulty architecture.

// Side note: please rebase, there are some PHPStan issues that were solved on 4.6 yesterday.

@reithor reithor force-pushed the ibx-8426_fixed-duplicate-relations branch from 7ea59f6 to 7737be3 Compare July 3, 2024 10:47
@reithor reithor requested a review from alongosz July 3, 2024 12:33
@@ -1421,7 +1421,7 @@ protected function internalUpdateContent(
)->id,
]
);
$existingRelations = $this->internalLoadRelations($versionInfo);
$existingRelations = $this->repository->sudo(fn (): array => $this->internalLoadRelations($versionInfo));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review note: it's done like that because there are some architecture issues that are not easy to fix, see #390 (review)

@alongosz alongosz requested a review from a team July 3, 2024 12:39
@reithor reithor requested a review from Steveb-p July 3, 2024 15:12
Copy link

sonarcloud bot commented Jul 3, 2024

@alongosz alongosz requested a review from a team July 8, 2024 09:14
@konradoboza konradoboza requested a review from a team July 8, 2024 09:25
@Steveb-p Steveb-p requested a review from a team July 8, 2024 09:42
@alongosz alongosz merged commit bdab9ea into 4.6 Jul 15, 2024
22 checks passed
@alongosz alongosz deleted the ibx-8426_fixed-duplicate-relations branch July 15, 2024 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants