Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUGFIX: Allow to insert node inside not editable content collection (via policy) #3886

Open
wants to merge 1 commit into
base: 8.3
Choose a base branch
from

Conversation

mhsdesign
Copy link
Member

The canEdit check is evaluated by another privilege - the EditNodePrivilege - which is separate from the CreateNodePrivilege to allow or disallow node creation.

If EditNodePrivilege restricts almost all nodes except a few - say headline (by nodeIsOfType) - and CreateNodePrivilege does the same: only allow to create the headline (by createdNodeIsOfType), this policy is correctly enforced via the cr. The Neos ui though is a little to restrictive and allows LESS than what is allowed by the core. The EditNodePrivilege would be required to be granted for content collections to be able to insert content. To avoid having to grant this privilege - which comes with the burden of otherwise having to allow content collections AND its subtypes which could be sliders, and to be technically correct, we just dont evaluate the can edit here.

The button is still grey-d out if ALL nodes are disallowed by policy see:

export const makeIsAllowedToAddChildOrSiblingNodes = (nodeTypesRegistry: NodeTypesRegistry) => createSelector(
[
makeGetAllowedChildNodeTypesSelector(nodeTypesRegistry),
makeGetAllowedSiblingNodeTypesSelector(nodeTypesRegistry)
],
(allowedChildNodeTypes, allowedSiblingNodeTypes) =>
Boolean(allowedChildNodeTypes.length + allowedSiblingNodeTypes.length)
);

This behaviour has been since the introduction of Neos Ui policy evaluation: #1282

Though inside a commit shows that during the development the behavior was changed:

72b2614#diff-8b6869be808b6aad3e3ac19f6312c029d54112eb72aa09ffd757e4a7a686bcefR200

I can only assume that in "Enforce EditNodePrivilege for inline editing" the use of the canEdit flag was added to restrictive.

What I did

How I did it

How to verify it

…via policy)

The `canEdit` check is evaluated by another privilege - the `EditNodePrivilege` - which is separate from the `CreateNodePrivilege` to allow or disallow node creation.

If `EditNodePrivilege` restricts almost all nodes except a few - say headline (by `nodeIsOfType`) - and `CreateNodePrivilege` does the same: only allow to create the headline (by `createdNodeIsOfType`), this policy is correctly enforced via the cr.
The Neos ui though is a little to restrictive and allows LESS than what is allowed by the core. The `EditNodePrivilege` would be required to be granted for content collections to be able to insert content.
To avoid having to grant this privilege - which comes with the burden of otherwise having to allow content collections AND its subtypes which could be sliders, and to be technically correct, we just dont evaluate the can edit here.

The button is still grey-d out if ALL nodes are disallowed by policy see: https://github.com/neos/neos-ui/blob/2597ffef66f7901569b865e35ea634a941b50a7b/packages/neos-ui-redux-store/src/CR/Nodes/selectors.ts#L292-L299

This behaviour has been since the introduction of Neos Ui policy evaluation: #1282

Though inside a commit shows that during the development the behavior was changed:

72b2614#diff-8b6869be808b6aad3e3ac19f6312c029d54112eb72aa09ffd757e4a7a686bcefR200

I can only assume that in "Enforce EditNodePrivilege for inline editing" the use of the `canEdit` flag was added to restrictive.
@github-actions github-actions bot added Bug Label to mark the change as bugfix 8.3 labels Nov 13, 2024
@mhsdesign
Copy link
Member Author

For now ill be patching this like so:

Patch to allow writing policies allowing to create content inside of a content collection

The Neos Ui requires for that that the content collection is editable. But that is wrong and too restrictive than the core actually is.
As its cumbersome to patch the bundled Neos Ui javascript, this patch allows for a new method `isExactlyContentCollection` that can be
used instead of `nodeIsOfType(["Neos.Neos:ContentCollection"])` as this would do inheritance checks in the edit node privilege.

See also BUGFIX: Allow to insert node inside not editable content collection (via policy) https://github.com/neos/neos-ui/pull/3886

diff --git a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php
index aba4e98892..333e71bc7e 100644
--- a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php
+++ b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php
@@ -142,6 +142,14 @@ class NodePrivilegeContext
         return false;
     }

+    public function isExactlyContentCollection(): bool
+    {
+        if ($this->node === null) {
+            return true;
+        }
+        return $this->node->getNodeType()->getName() === "Neos.Neos:ContentCollection";
+    }
+
     /**
      * Matches if the selected node belongs to one of the given $workspaceNames
      *

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.3 Bug Label to mark the change as bugfix
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant