strapi-plugin-navigation icon indicating copy to clipboard operation
strapi-plugin-navigation copied to clipboard

Published 20 hours ago verified publisher icon VirtusLab-Open-Source

"Has same role as creator" permission settings are not applied

Open manu7823 opened this issue 1 year ago • 4 comments

Problem

Restricting "Read" and "Update" permissions to "Has same role as creator" doesn't work.

Steps to reproduce

  1. Create two roles and two users
  2. Grant only Has same role as creator permissions for the navigation plugin read and update operations
Bildschirmfoto 2023-04-27 um 19 41 04
  1. Assign one user to the first role and the other one to the second role, login with the first user and create a new navigation item
Bildschirmfoto 2023-04-27 um 19 39 13
  1. Logout with the first user, login with the second user and you can still see and edit the created navigation item of the first user with a different role than the currently logged in user.
Bildschirmfoto 2023-04-27 um 19 46 47

Setup

"dependencies": { "@strapi/plugin-i18n": "~4.10.1", "@strapi/plugin-users-permissions": "~4.10.1", "@strapi/strapi": "~4.10.1", "better-sqlite3": "^8.0.1", "mysql": "^2.18.1", "strapi-plugin-navigation": "^2.2.8" }

manu7823 avatar Apr 27 '23 17:04 manu7823

@manu7823 what you're describing is more like a "virtual tenancy" so single user / role can have and edit dedicated navigation. Operating on the same navigation structure and showing items per roles won't be possible because of duplicates which may happen.

It's a custom solution in my opinion and honestly we did something like that based on Strapi + Navigation plugin for our client by extending Navigation Collection with tenant relation and assigning roles per tenants.

I'm worried that your case is too custom to make it part of common codebase unfortunately. Anyway keep your eyes open, during the Strapi Conf such use case might be presented ;)

cyp3rius avatar Apr 27 '23 19:04 cyp3rius

@cyp3rius that's exactly what I try to achieve! Thank you for the hint according the Strapi Conf :) Is there any way you would share the code you wrote for your client with me?

manu7823 avatar Apr 27 '23 21:04 manu7823

I might not share the codebase as that's a business value of a client but discuss and showcase the idea ;)

cyp3rius avatar May 19 '23 11:05 cyp3rius

@manu7823 what you're describing is more like a "virtual tenancy" so single user / role can have and edit dedicated navigation. Operating on the same navigation structure and showing items per roles won't be possible because of duplicates which may happen.

It's a custom solution in my opinion and honestly we did something like that based on Strapi + Navigation plugin for our client by extending Navigation Collection with tenant relation and assigning roles per tenants.

I'm worried that your case is too custom to make it part of common codebase unfortunately. Anyway keep your eyes open, during the Strapi Conf such use case might be presented ;)

By now, this issue raises the problem that someone without permission, who should be able to edit navigation, could see other entity titles in edit mode inside navigation. That's a lack of business policies somehow. So, it's not usable if the application needs the combination of a role that can edit navigation but should only be able to have information about entities within its own role or things created on their own.

This makes the library some kind of backdoor and not usable in such cases... :(

[Edit[ To give context: i need to implement a feature where a given role can edit content of its own. as part of the content the role owners should be able to make use of some sort of sub navigations (mostly sidebars with links to other pages of there department) and at the same time aren't allowed to edit things like the main navigation.

quarkcore avatar Jan 26 '24 17:01 quarkcore