Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Roles & Groups aren't read-only when editing a user #9564

Open
edalzell opened this issue Feb 21, 2024 · 0 comments
Open

Roles & Groups aren't read-only when editing a user #9564

edalzell opened this issue Feb 21, 2024 · 0 comments
Labels
permissions

Comments

@edalzell
Copy link
Contributor

Bug description

If a user does not have permission to assign roles, but the user blueprint imports a fieldset that has a roles field, the roles field is NOT read-only.

How to reproduce

  1. create field with roles field:
  -
    handle: roles
    field:
      type: user_roles
  1. Import that field in the user blueprint
  2. create user with assign roles permission
  3. impersonate that user and open an existing user
  4. see that the roles field is editable (it shouldn't be)

Logs

No response

Environment

Environment
Application Name: Statamic
Laravel Version: 10.45.1
PHP Version: 8.3.3
Composer Version: 2.7.1
Environment: local
Debug Mode: ENABLED
URL: passivehouse.test
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: statamic
Database: mysql
Logs: stack / daily, front
Mail: smtp
Queue: sync
Session: file

Statamic
Addons: 10
Antlers: runtime
Sites: 1
Stache Watcher: Enabled
Static Caching: Disabled
Version: dev-fix/read-only-roles PRO

Statamic Addons
aryehraber/statamic-captcha: 1.10.0
edalzell/forma: 2.1
jonassiewertsen/statamic-livewire: 2.12.0
mattrothenberg/statamic-mapbox-address: 0.7.4
statamic/seo-pro: 5.0.1
transformstudios/events: 5.0.2
transformstudios/front: 2.0.4
transformstudios/github: dev-main
transformstudios/review: 4.1.4
transformstudios/simple: dev-fix/user-super

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

Runtime (default)

Additional details

The issue stems from this code in UserController:

        if (! User::current()->can('assign roles')) {
            $blueprint->ensureField('roles', ['visibility' => 'read_only']);
        }

Because the field DOES exist, that config is not merged in. If you try to use $blueprint->ensureFieldHasConfig('roles', ['visibility' => 'read_only']); instead you get an error because that method only fetches top level fields, and doesn't do the import. See the difference between:

    protected function ensureFieldInTabHasConfig($handle, $tab, $config)
    {
        $fields = $this->getTabFields($tab);

        $fields2 = $this->tabs()->get($tab)->fields();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
permissions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[4.x] Roles/Groups fields can be read-only when they've been included in the blueprint edalzell/cms
2 participants
@edalzell @duncanmcclean