Do not expose private metadata via relationfield serializer. #1635
Conversation
|
@maethu thanks for creating this Pull Request and helping to improve Plone! TL;DR: Finish pushing changes, pass all other checks, then paste a comment: To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically. Happy hacking! |
✅ Deploy Preview for plone-restapi canceled.
|
maethu
force-pushed
the
mle-fix-relationfield-permission-issue
branch
from
66027a5
to
bceee96
Compare
maethu
force-pushed
the
mle-fix-relationfield-permission-issue
branch
from
bceee96
to
b5124fa
Compare
|
@jenkins-plone-org please run jobs |
|
The permission to check if metadata access is allowed is "Access Contents Information"
|
| if value: | ||
| return [item for item in json_compatible(value) if item] | ||
| else: | ||
| return super().__call__() |
There was a problem hiding this comment.
| if value: | |
| return [item for item in json_compatible(value) if item] | |
| else: | |
| return super().__call__() | |
| if value: | |
| return [item for item in json_compatible(value) if item] | |
| return super().__call__() |
There was a problem hiding this comment.
For the sake of readability: No else needed when the if returns.
|
If the user hasn't the |
| if value.to_object: | ||
| mtool = api.portal.get_tool("portal_membership") | ||
| if value.to_object and mtool.checkPermission("View", value.to_object): |
There was a problem hiding this comment.
this is too much overhead and probably slow. Use the Zope basics, those are perfectly fine here:
from AccessControl.SecurityManagement import getSecurityManager
getSecurityManager().checkPermission(permission, obj)
There was a problem hiding this comment.
btw, if you anyway use plone.api, there is api.user.check_permission too as an alternative.
There was a problem hiding this comment.
If I am not wrong, plone.api may only be used in plone.restapi tests right? @plone/restapi-team
There was a problem hiding this comment.
I am not sure what the rules are, but if there are those rules, they must be documented somewhere.
In Plone we have these two permissions for a reason. You might want or not want to show an object in listing. You might want to tell, look there is a relation to X even if you're not allowed to view X details. Using these two permissions this is possible. Usually both are mapped the same in workflow permission mappings. But, depends on the customization, not always. |
|
Also consider: The serialization is also used when loading the item for editing. What should happen if a user has permission to edit an item that has references to items that they do not have permission to view? I am not sure what the right answer is, but I am sure that it is not silently removing the reference. |
…w permission on the current object.
|
Yes my bad... I should know this 🙈 The issue is in my workflow definition. But to clarify: So if doc1 has doc2 as related item. And the user does not have "Access Contents Information" on doc1. I totally doe see the issue regarding: This is no longer related to my issue, but I'm a bit confused what make sense and what not. I adapted the code to check for "Access content information" on the parent of the relation. But I'm not sure if the helps a lot... or if it makes things more confusing. I implemented some custom relation serializer on my end, which filters relations for anonymous users depending on the |
| @@ -17,7 +18,12 @@ | |||
| @adapter(IRelationValue) | |||
| @implementer(IJsonCompatible) | |||
| def relationvalue_converter(value): | |||
| if value.to_object: | |||
| has_permission = api.user.has_permission( | |||
There was a problem hiding this comment.
@plone/restapi-team In a comment above @erral wrote plone.api usage is allowed in this package in tests only and asked if this is right. May one you confirm this?
There was a problem hiding this comment.
We agreed that we can use plone.api in tests. Though, if I am not mistaken we also decided lately that plone.restapi can use plone.api everywhere, correct? Sorry for the late reply here. Just want to get this straight.
| if value.to_object: | ||
| has_permission = api.user.has_permission( | ||
| "Access Contents Information", | ||
| obj=value.__parent__ |
There was a problem hiding this comment.
I do not get why we now check on parent? This is is probably a misunderstanding and wrong.
There was a problem hiding this comment.
Probably another miss-understanding on my end.
I used the parent, since @davisagli wrote in the issue #1634
@maethu In general, permission to view an object's metadata in listings is controlled by the "Access contents information" permission on its container, not the View permission.
I'm happy to change this!
|
@maethu @davisagli @jensens what's the status of this PR? |
|
@tisto From my point of view, I am waiting for a proposal for how to resolve the problem I mentioned in #1635 (comment) I think we need something like a way to include UIDs for items that the current user does not have permission to view. Probably this should be a querystring option. Then the edit view can ask for them and make sure they are not removed, but other use cases can leave them out. |
Sorry got a bit lost on my end. |
Fixes #1634
This PR implements two changes:
Viewpermission on target object.Nonevalues in RelationListFieldSerializer, which result from not having a summary for inaccessible content.