Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix RBAC upload permissions #10484

Merged
merged 5 commits into from
Jun 17, 2021
Merged

Fix RBAC upload permissions #10484

merged 5 commits into from
Jun 17, 2021

Conversation

Convly
Copy link
Member

@Convly Convly commented Jun 15, 2021

What does it do?

Fix an issue where setting permissions with conditions on the assets for the upload plugin can break the permissions checks.
In a previous PR, the auto-populate for the fetch has been removed, which caused the created_by attribute to be raw instead of populated, hence causing an issue when fetching the associated role.

As a fix, we simply use the raw identifier (from the created_by field) instead of trying to access the id property inside.

Another idea would've been to fetch directly the whole user based on the created_by id, but it would mean fetching also unwanted properties for the user, such as password & co.

Why is it needed?

Upload plugin's assets permissions are not working as they should.

How to test it?

See: #10452 ("Steps to reproduce this issue")

Related issue(s)/PR(s)

introduced by #10370
fix #10452

@Convly Convly added issue: bug Issue reporting a bug source: core:upload Source is core/upload package labels Jun 15, 2021
@codecov
Copy link

codecov bot commented Jun 15, 2021
edited
Loading

Codecov Report

Merging #10484 (24cf3a5) into master (0ab3503) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master   #10484    /-   ##
=======================================
  Coverage   58.06%   58.06%           
=======================================
  Files         185      185           
  Lines        6434     6434           
  Branches     1399     1399           
=======================================
  Hits         3736     3736           
  Misses       2235     2235           
  Partials      463      463
Flag Coverage Δ
front ∅ <ø> (∅)
unit 58.06% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0ab3503...24cf3a5. Read the comment docs.

@alexandrebodin alexandrebodin merged commit c7c549a into master Jun 17, 2021
@alexandrebodin alexandrebodin deleted the fix/rbac-broken-upload-checks branch June 17, 2021 10:00
@alexandrebodin alexandrebodin added this to the 3.6.7 milestone Jun 17, 2021
This was referenced Jun 23, 2021
Open
Merged
Merged
Open
Merged
This was referenced Jul 29, 2021
Closed
Merged
@renovate renovate bot mentioned this pull request Aug 11, 2021
Merged
1 task
@strapi-bot
Copy link

This pull request has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/roles-and-permissions/4947/3

This was referenced Nov 27, 2023
Open
Open
Open
Open
@subsy subsy mentioned this pull request Nov 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexandrebodin alexandrebodin alexandrebodin approved these changes

@petersg83 petersg83 Awaiting requested review from petersg83

Assignees
No one assigned
Labels
issue: bug Issue reporting a bug source: core:upload Source is core/upload package
Projects
None yet
Milestone
3.6.4
Development

Successfully merging this pull request may close these issues.

Default RBAC policies for Upload plugin not functioning properly
3 participants
@Convly @strapi-bot @alexandrebodin