Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Role Authority Editability #16568

Merged
merged 3 commits into from
Jul 5, 2024
Merged

Fix Role Authority Editability #16568

merged 3 commits into from
Jul 5, 2024

Conversation

smg6511
Copy link
Collaborator

@smg6511 smg6511 commented May 8, 2024

What does it do?

Add new listener routine to restrict editing based on whether a Role is assigned to an ACL entry. Also:

  1. Adds new UI feedback, both a lock icon (instead of pencil) on hover of authority as well as an alert dialog when double-clicking on locked authority
  2. Ensures authority cannot be deleted in grid editor
  3. Remove pencil icon for cells of non-editable Roles

Why is it needed?

The ability to edit an assigned Role's authority leads to orphaned ACL rules that not longer show up in the manager, yet remain in the database. See the referenced issue below.

How to test

  1. Rebuild template (grunt build) and clear manager and browser caches
  2. Create a few Roles under the Access Control Lists section
  3. Assign at least one Role to any ACL entry of your choice
  4. Verify that the assigned Roles' authority is locked in the Roles grid
  5. Verify that unassigned Roles remain fully editable in the Roles grid (authority is unlocked)

Note

The initial commit contains all substantive changes, while the follow up is just code-style/optimization oriented.

Related issue(s)/PR(s)

Resolves #16565

@smg6511 smg6511 requested review from opengeek and Mark-H as code owners May 8, 2024 16:24
@smg6511 smg6511 added the requires build Grunt build is required for integration label May 9, 2024
@opengeek opengeek added this to the v3.1.0 milestone May 31, 2024
@opengeek opengeek requested a review from jitola June 13, 2024 15:40
@smg6511 smg6511 mentioned this pull request Jun 13, 2024
Merged
@opengeek
Copy link
Member

As mentioned out of context in #16469, I think we need to consider just letting authority be presented/editable directly as an integer authority value when editing ACLs. Or don't allow ACLs to be edited at all, only allowing them to be created (setting the authority from a role) and deleted.

@opengeek
Copy link
Member

opengeek commented Jun 13, 2024
edited
Loading

Actually, if we make modUserGroupRole.authority a unique index, we can rely on the link between a role and an authority. If no one has objections, I'll make this change, add the appropriate upgrade scripts, and add an upgrade test to ensure there are not multiple modUserGroupRole objects with the same authority before the upgrade to 3.1 can be executed. Then this PR can stand as is.

@smg6511
Copy link
Collaborator Author

smg6511 commented Jun 13, 2024

make modUserGroupRole.authority a unique index

Makes sense to me ;-)

@opengeek opengeek mentioned this pull request Jun 24, 2024
Merged
smg6511 and others added 3 commits July 5, 2024 12:23
@smg6511 @opengeek
Correct Role authority editability
6526ebd 
Ensure authority cannot be changed on assigned Roles
@smg6511 @opengeek
Update modx.grid.role.js
0bb0b9b 
Formatting and code style fixes and optimizations
@opengeek
grunt build
6868fbc
@opengeek opengeek merged commit e0f83db into modxcms:3.x Jul 5, 2024
6 checks passed
opengeek added a commit that referenced this pull request Jul 5, 2024
@opengeek
Make authority a unique index on modUserGroupRole (#16587)
8cd57b5 
### What does it do?
Adds a unique index to the modUserGroupRole.authority field.

### Why is it needed?
modUserGroupRole records are linked to ACLs via the authority value, so
those MUST be unique or referential integrity is lost.

### How to test
Run the transport build, execute the setup, and verify that after adding
a modUserGroupRole record with a non-unique authority value, the upgrade
stops with a failure describing what you need to do in order to resolve
the situation before re-running the setup. After removing the non-unique
record, verify that setup then runs successfully and a unique index is
added to the authority column.

### Related issue(s)/PR(s)
This is related to and should be adopted along with #16568 — see
discussion on that PR.
@smg6511 smg6511 deleted the 3.x-issue-16565 branch August 27, 2024 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ibochkarev Ibochkarev Ibochkarev approved these changes

@Mark-H Mark-H Mark-H approved these changes

@opengeek opengeek Awaiting requested review from opengeek opengeek is a code owner

@jitola jitola Awaiting requested review from jitola

Assignees
No one assigned
Labels
requires build Grunt build is required for integration
Projects
None yet
Milestone
v3.1.0
Development

Successfully merging this pull request may close these issues.

Changes to a Role’s definition do not carry through to related ACL entries
4 participants
@smg6511 @opengeek @Mark-H @Ibochkarev