Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Flushing of asset tags after changing media metadata causes "Read access denied for workspace" errors #5414

Open
1 task done
mficzel opened this issue Dec 24, 2024 · 1 comment · May be fixed by #5415
Open
1 task done

BUG: Flushing of asset tags after changing media metadata causes "Read access denied for workspace" errors #5414

mficzel opened this issue Dec 24, 2024 · 1 comment · May be fixed by #5415
Labels
9.0 Bug

Comments

@mficzel
Copy link
Member

mficzel commented Dec 24, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

If metadata of an asset that is used in another workspace the current user has no access to is changed the following error occurs: Read access denied for workspace "....": User is no Neos Administrator and has no explicit role for workspace "admin-user"

This is caused by the method Neos\Neos\Fusion\Cache\AssetChangeHandlerForCacheFlushing::registerAssetChange() that tries to flush all workspaces identified by \Neos\Neos\AssetUsage\GlobalAssetUsageService::findByFilter() but some of those may not be accessible to the current user.

Expected Behavior

A user should be able to change Asset Metadata even if this asset was used by others.

Steps To Reproduce

  1. Create user editorA
  2. Login
  3. Insert an image
  4. Create user editorB
  5. Login
  6. Use Media module to assign a title to the image used in step 2 > DANG

Environment

- Flow: 9.0
- Neos: 9.0 (~beta 17)
- PHP: 8.3

Anything else?

The method that causes the exception is $contentRepository->getContentGraph($workspaceName) that is called in AssetChangeHandlerForCacheFlushing::line,50 ... did not find an obvious way around that.
@bwaidelich
Copy link
Member

I think, those need to be executed with Neos\Flow\Security\Context::withoutAuthorizationChecks()

mficzel added a commit to mficzel/neos-development-collection that referenced this issue Dec 25, 2024
@mficzel
BUGFIX: Ensure cache flushing for asset changes works with foreign wo…
be73462 
…rkspaces

This is done by flushing the caches inside inside a securityContext->withoutAuthorizationChecks closure.

Resolves: neos#5414
@mficzel mficzel linked a pull request Dec 25, 2024 that will close this issue
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
9.0 Bug
Projects
None yet
Milestone
No milestone
2 participants
@bwaidelich @mficzel