New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check permission for deleting versions #384
base: 1.x
Are you sure you want to change the base?
Check permission for deleting versions #384
Conversation
iconCls: "pimcore_icon_delete", | ||
handler: this.removeAllVersion.bind(this, rowIndex, grid) | ||
})); | ||
if (this.object.isAllowed("delete")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just wondering if we need to add the permission check on the controller as well, like
if ($currentAsset->isAllowed('publish')) { |
to
admin-ui-classic-bundle/src/Controller/Admin/ElementController.php
Lines 708 to 733 in e414e6b
public function deleteVersionAction(Request $request): JsonResponse | |
{ | |
$version = Model\Version::getById((int) $request->get('id')); | |
$version->delete(); | |
return $this->adminJson(['success' => true]); | |
} | |
/** | |
* @Route("/element/delete-all-versions", name="pimcore_admin_element_deleteallversion", methods={"DELETE"}) | |
* | |
* @param Request $request | |
* | |
* @return JsonResponse | |
*/ | |
public function deleteAllVersionAction(Request $request): JsonResponse | |
{ | |
$elementId = $request->request->getInt('id'); | |
$elementModificationdate = $request->request->get('date'); | |
$versions = new Model\Version\Listing(); | |
$versions->setCondition('cid = ' . $versions->quote($elementId) . ' AND date <> ' . $versions->quote($elementModificationdate)); | |
foreach ($versions->load() as $vkey => $version) { | |
$version->delete(); | |
} |
Wondering if it should be considered a bug or even security instead, the permission is meant to make versions tab available but any of the feature/actions in there (like publish,delete) should be still following the main permissions rules. Looks like a sort of "vertical elevation of privilege" in the context of element workspace permissions. |
Well, publishing a version and deleting a version are two different things in terms of consequence. When publishing a version, it means changing the public accessible data of the affected element. And that's why it is bound to the pulish permission. When deleting a version, it is just about the version and not about deleting the element. So it has no effect on the public available data. That's why it is not bound to the delete permission (as delete permission so far means deleting the element), but possible with version permission - when you have access to versions you also can delete them. Not sure if we should do that? Any other opinnions/aspects? If we decide to change that, we Please do not merge yet. |
I agree with @fashxp here. |
Mhh, that's a good point, same word but dealing with different aspects with different impacts, What about adding a new permission definition eg. "Versions - Manage" (a general one instead of workspace specific), where it allows the current deletion of versions and is more an administrative tool, but still limited only to the workspaces one is allowed to see by By safely assuming that the purpose of normal user to delete was not about concerning server storage usages, rather to have a cleaner and shorter list with relevant changes to browse and work with, i would replace the Under the hood, it only "hides", just needs a column in |
Just a comment as I ran into exactly the same problem: In my implementation it's essential to have the history information to know exactly who changed what and when. Therefore the users must not be able to delete history entries and they are also not allowed to delete objects. In the past (up to pimcore v10) I removed the delete menu entries in JavaScript code by overwriting onRowContextmenu of pimcore.object.versions. With pimcore 11 this is not possible anymore as only events may be used, unfortunately there is no event for that. So for pimcore 11 I'm not able to get rid of the menu entry and I had to overwrite the deleteVersionAction to throw a AccessDeniedHttpException which is a terrible solution although it works. I really would appreciate to have the possibility again to remove the |
Linked the “Publish” context menu item of a version to the “Publish” permission
Linked permission to "Delete" a version to the "Delete" permission