Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unused / update menu permissions #16595

Open
wants to merge 8 commits into
base: 3.x
Choose a base branch
from

Conversation

Ruslan-Aleev
Copy link
Collaborator

@Ruslan-Aleev Ruslan-Aleev commented Jul 26, 2024

What does it do?

Remove unused menu permissions:

  • about;
  • credits;
  • export_static;
  • menu_security;
  • menu_support;
  • menu_tools;

Update menu permissions:

  • menu_site;
  • menu_trash;
  • components;
  • for Settings menu (cog icon);
  • for Media menu;
  • for Access menu;

Brought permissions to a single format 'menu_*', added permissions for menu folders.
For example, the entire settings folder (cog icon) was hidden when disabling the system settings item permission, because the same permission settings was set (although there was a separate menu_system permission, but for some reason it was not used).

Related issue(s)/PR(s)

#14498

@Ruslan-Aleev Ruslan-Aleev added area-core pr/review-needed Pull request requires review and testing. area-acl labels Jul 26, 2024
@Ruslan-Aleev Ruslan-Aleev force-pushed the 3.x-fix-14498 branch 5 times, most recently from 43457eb to c64ef7c Compare July 26, 2024 19:45
@Ruslan-Aleev Ruslan-Aleev force-pushed the 3.x-fix-14498 branch 2 times, most recently from 46fc1b8 to aaa7467 Compare August 8, 2024 22:18
@Ruslan-Aleev Ruslan-Aleev added this to the v3.0.6 milestone Aug 9, 2024
@rthrash rthrash modified the milestones: v3.0.6, v3.1.0 Sep 17, 2024
@matdave
Copy link
Contributor

matdave commented Sep 24, 2024

While I like this, I'm having trouble getting the 3.0.0-policy-permissions-menu-update.php file to actually correct my permissions on an update. Additionally, It is possible for someone to have duplicated or created a new Admin Policy Template, in which case I believe this would only correct one template (if it fired), since it uses getObject.

@matdave
Copy link
Contributor

matdave commented Sep 24, 2024

I just tested, these should be in the 3.1.0-pl upgrade file.

@Ruslan-Aleev
Copy link
Collaborator Author

Ruslan-Aleev commented Sep 25, 2024

Additionally, It is possible for someone to have duplicated or created a new Admin Policy Template, in which case I believe this would only correct one template (if it fired), since it uses getObject.

I don't quite understand, isn't the permission key enough to update/delete it? The template shouldn't play a role, or am I wrong?

@matdave
Copy link
Contributor

matdave commented Sep 25, 2024

I don't quite understand, isn't the permission key enough to update/delete it? The template shouldn't play a role, or am I wrong?

The primary key of Access Permissions is their ID. When you duplicate a policy, all of their permission names are duplicated as well. So it is possible for there to be multiple entries for 'about', 'credits', 'export_static', 'menu_security', and 'menu_support' for example.

Copy link
Contributor

@matdave matdave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Revert setup/includes/upgrades/mysql/3.0.0-pl.php
  • Create a link in setup/includes/upgrades/mysql/3.1.0-pl.php to the 3.1.0-policy-permissions-menu-update.php

@Ruslan-Aleev
Copy link
Collaborator Author

So it is possible for there to be multiple entries for 'about', 'credits', 'export_static', 'menu_security', and 'menu_support' for example.

I still don't understand the problem, wouldn't a request like $modx->getObject(modAccessPermission::class, ['name' => 'about']); get all about entries?

@matdave
Copy link
Contributor

matdave commented Sep 26, 2024

I still don't understand the problem, wouldn't a request like $modx->getObject(modAccessPermission::class, ['name' => 'about']); get all about entries?

No, getObject gets a single object. It is the same as adding limit->(1) to a query

@matdave
Copy link
Contributor

matdave commented Sep 26, 2024

Basically, I'd recommend changing:

$permission = $modx->getObject(modAccessPermission::class, ['name' => $permissionItem]);

    if ($permission instanceof modAccessPermission) {

To

$c = $modx->newQuery(modAccessPermission::class);
$c->where(['name' => $permissionItem]);
$permissions = $modx->getIterator(modAccessPermission::class, $c);

foreach($permissions as $permission) {

    if ($permission instanceof modAccessPermission) {

@opengeek
Copy link
Member

Further, we need to make sure the permissions being updated are from the appropriate templates. You would need to limit the query by template ids for the targeted template group( s ).

@Ruslan-Aleev
Copy link
Collaborator Author

@opengeek

You would need to limit the query by template ids for the targeted template group( s ).

Why do we need a template limit? I change/delete these permissions everywhere.

@opengeek
Copy link
Member

opengeek commented Oct 1, 2024

@opengeek

You would need to limit the query by template ids for the targeted template group( s ).

Why do we need a template limit? I change/delete these permissions everywhere.

Because permissions with the same key can have different meanings in different template groups. There may not be any of those in this batch, but users can create their own template groups/templates/permissions and the permission names could match. If they did, you would be changing those permissions and breaking their use of them. So while I get in this case there will probably not be any such conflicts (or at least the chances are very low), we need to treat the situation as if they could and write the upgrade scripts appropriately.

@Ruslan-Aleev Ruslan-Aleev force-pushed the 3.x-fix-14498 branch 2 times, most recently from 91f5f03 to 5b23faf Compare October 1, 2024 13:11
@Ruslan-Aleev
Copy link
Collaborator Author

Ruslan-Aleev commented Oct 1, 2024

@matdave @opengeek I think I fixed it (as far as I understood), check.

@theboxer
Copy link
Member

theboxer commented Oct 7, 2024

@Ruslan-Aleev can you please rebase this PR to the current 3.x branch, or do you want me to handle that?

@Ruslan-Aleev Ruslan-Aleev force-pushed the 3.x-fix-14498 branch 3 times, most recently from f1f20cd to 423a9f5 Compare October 8, 2024 09:23
@Ruslan-Aleev
Copy link
Collaborator Author

@theboxer Corrected, please check.

@opengeek opengeek dismissed matdave’s stale review October 8, 2024 19:16

The requested change was addressed.

@Ruslan-Aleev
Copy link
Collaborator Author

I'll have to edit it again after updating the 3.x branch, I'll do it in a few days.

@rthrash
Copy link
Member

rthrash commented Oct 24, 2024

Hi @Ruslan-Aleev will you have a chance to get to this soon? We've only got one additional PR to sort out plus this one to get to the 3.1 release.

@Ruslan-Aleev
Copy link
Collaborator Author

@rthrash @theboxer @matdave @opengeek Conflicts corrected, please check.

@theboxer
Copy link
Member

Further, we need to make sure the permissions being updated are from the appropriate templates. You would need to limit the query by template ids for the targeted template group( s ).

@opengeek Are you sure this change won't break custom permissions? You can easily create a custom policy template and add there regular permissions like components, which will control same thing as components in pre-installed policy templates.

So with the limit to update only built in policy templates, all custom ones will remain untouched and permissions may/will break for users.

The fact that the custom permissions may match those renames is quite dangerous on it's own.

My vote would be to NOT rename any permissions as it's very dangerous and unsafe land.

For removing unused permissions, that's also debatable. As you can do basically anything asa MODX admin, you can easily tie custom menu entries/CMPs into existing permissions. Should you do that? Probably not, but nothing stops you (and I don't think we warn somewhere from this practice). Should an upgrade potentially leak parts of admin area to unauthorised users? Probably not.

@Ruslan-Aleev
Copy link
Collaborator Author

The fact that the custom permissions may match those renames is quite dangerous on it's own.

This could happen, but I think it's very unlikely.

The problem is that the access settings are now just a mess, without logic, and it would be better to put things in order there, and that's what I'm thinking of doing.

@opengeek opengeek modified the milestones: v3.1.0, v3.1.1 Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-acl area-core pr/review-needed Pull request requires review and testing.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants