Allow some users to create sub-objects only in objects they’re the authors of

[arkhi]

This Issue is detailing the discussion I initiated on Discord.

With this structure as example:

root
  |- home
  |- students
    |- joe's page 

# user/config/groups.yaml
[…]
students:
  groupname: students
  […]
  access:
    admin:
      super: 'false'
      login: 'true'
      pages:
        create: 'false'
        read: 'false'
        update: 'false'
        delete: 'false'
        list: 'true'
[…]

1. I log in with joe who belongs to the students group (I can only list pages).
2. A super admin has set up the following permissions to joe’s page:

   permissions:
       authors:
           - joe
       groups:
           authors:
               create: true
               read: true
               update: true

3. I’m trying to create first post into joe’s page (like a personal journal).
4. first post is temporarily created, waiting to be saved (:princess:).
5. I click the Save button.
6. An error Save Failed: You have insufficient permissions for task save appears and my changes have been discarded.

---

I tried the following on the function taskSave in flex-objects/classes/Admin/AdminController.php, from:

if (!$object->isAuthorized('create', 'admin', $this->user)) {

to:

if (
    !$object->isAuthorized('create', 'admin', $this->user)
    && !$object->parent()->isAuthorized('create', 'admin', $this->user)
) {

which goal is to allow the creation of sub-objects if the logged-in user has the create permissions on the parent as well.

I also needed to update the theme with a function that kicks in to add the user as the author by default, so that it inherits the permissions. Otherwise, Joe does not have any access to the page:

    /**
     * Handle restrictions and initialization of the theme as early as possible.
     * […]
     */
    public function onThemeInitialized(Event $event)
    {
        […]

        $this->enable([
            'onAdminCreatePageFrontmatter' => [
                [ 'addPermissionsToPageOwned', 1 ],
            ],
        ]);
    }

    /**
     * [onAdminCreatePageFrontmatter]
     * Add the current user as author in the header when creating a page.
     * Also allows them to delete the page they created.
     * […]
     */
    public function addPermissionsToPageOwned( Event $event )
    {
        $page   = $event;
        $header = $page['header'];

        if (!isset($header['permissions']['authors'])) {
            $header['permissions']['authors'] = [
                $this->grav['admin']->user->get('username')
            ];
        }

        $header['permissions']['groups']['authors']['delete'] = true;

        $event['header'] = $header;
    }

Not sure if it’s any good way to solve this Issue and if it does not create other issues, but it works for me™ for now. :)

[mahagr]

I need to check this out.

But really, if the object doesn't exist, ACL should really only check the parent, if it is allowed to create the object.

PS: your fix adding parent breaks every other flex object type.

[arkhi]

PS: your fix adding parent breaks every other flex object type.

That is less than ideal indeed; thanks for the heads up. :)

[mahagr]

Grav fix is also needed: getgrav/grav@1c24f9f

I basically changed $object->isAuthorized('create') behavior so that it automatically detects if you are creating the current page or if you are asking if you can create a new page under the existing page.

In short:

• If the page exists, create has the current behavior: can you create a page under the current page?
• If the page does not exist, create has a new behavior: can you create this page under the parent page?

PS: This is a backward-incompatible change and causes no access to the new page if you rely on the old behavior.