-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not expose private metadata via relationfield serializer. #1635
base: main
Are you sure you want to change the base?
Conversation
@maethu thanks for creating this Pull Request and helping to improve Plone! TL;DR: Finish pushing changes, pass all other checks, then paste a comment:
To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically. Happy hacking! |
✅ Deploy Preview for plone-restapi canceled.
|
66027a5
to
bceee96
Compare
bceee96
to
b5124fa
Compare
@jenkins-plone-org please run jobs |
The permission to check if metadata access is allowed is "Access Contents Information"
|
if value: | ||
return [item for item in json_compatible(value) if item] | ||
else: | ||
return super().__call__() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if value: | |
return [item for item in json_compatible(value) if item] | |
else: | |
return super().__call__() | |
if value: | |
return [item for item in json_compatible(value) if item] | |
return super().__call__() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the sake of readability: No else
needed when the if
returns.
If the user hasn't the |
if value.to_object: | ||
mtool = api.portal.get_tool("portal_membership") | ||
if value.to_object and mtool.checkPermission("View", value.to_object): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is too much overhead and probably slow. Use the Zope basics, those are perfectly fine here:
from AccessControl.SecurityManagement import getSecurityManager
getSecurityManager().checkPermission(permission, obj)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, if you anyway use plone.api
, there is api.user.check_permission
too as an alternative.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I am not wrong, plone.api may only be used in plone.restapi tests right? @plone/restapi-team
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure what the rules are, but if there are those rules, they must be documented somewhere.
In Plone we have these two permissions for a reason. You might want or not want to show an object in listing. You might want to tell, look there is a relation to X even if you're not allowed to view X details. Using these two permissions this is possible. Usually both are mapped the same in workflow permission mappings. But, depends on the customization, not always. |
Also consider: The serialization is also used when loading the item for editing. What should happen if a user has permission to edit an item that has references to items that they do not have permission to view? I am not sure what the right answer is, but I am sure that it is not silently removing the reference. |
…w permission on the current object.
Yes my bad... I should know this 🙈 The issue is in my workflow definition. But to clarify: So if doc1 has doc2 as related item. And the user does not have "Access Contents Information" on doc1. I totally doe see the issue regarding: This is no longer related to my issue, but I'm a bit confused what make sense and what not. I adapted the code to check for "Access content information" on the parent of the relation. But I'm not sure if the helps a lot... or if it makes things more confusing. I implemented some custom relation serializer on my end, which filters relations for anonymous users depending on the |
@@ -17,7 +18,12 @@ | |||
@adapter(IRelationValue) | |||
@implementer(IJsonCompatible) | |||
def relationvalue_converter(value): | |||
if value.to_object: | |||
has_permission = api.user.has_permission( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@plone/restapi-team In a comment above @erral wrote plone.api
usage is allowed in this package in tests only and asked if this is right. May one you confirm this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We agreed that we can use plone.api in tests. Though, if I am not mistaken we also decided lately that plone.restapi can use plone.api everywhere, correct? Sorry for the late reply here. Just want to get this straight.
if value.to_object: | ||
has_permission = api.user.has_permission( | ||
"Access Contents Information", | ||
obj=value.__parent__ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not get why we now check on parent? This is is probably a misunderstanding and wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably another miss-understanding on my end.
I used the parent, since @davisagli wrote in the issue #1634
@maethu In general, permission to view an object's metadata in listings is controlled by the "Access contents information" permission on its container, not the View permission.
I'm happy to change this!
@maethu @davisagli @jensens what's the status of this PR? |
@tisto From my point of view, I am waiting for a proposal for how to resolve the problem I mentioned in #1635 (comment) I think we need something like a way to include UIDs for items that the current user does not have permission to view. Probably this should be a querystring option. Then the edit view can ask for them and make sure they are not removed, but other use cases can leave them out. |
Sorry got a bit lost on my end. |
Fixes #1634
This PR implements two changes:
View
permission on target object.None
values in RelationListFieldSerializer, which result from not having a summary for inaccessible content.