core
core copied to clipboard
bolt
Bolt 5.1.13 can't save general configuration : not allowed to do that
After installing Bolt 5.1.13 by composer project command creation, I try to customize the configuration.
I want to change in config/bolt/config.yaml sitename and payoff with backend application. After clicking on the save button, a message say to me that 'I am not allowed to do that'. When I try on 5.1.12 version, no problems, I can save it without any access denied notification.
Details
| Question | Answer |
|---|---|
| Relevant Bolt Version | 5.1.13 |
| Install type | Composer install |
| BC Break | yes/no?? |
| PHP version | 8.1 |
| Web server | Nginx 1.18.0 |
| For UX/UI issues | Firefox 104 |
Reproduction
for reproduction, see the description at the beginning of this issue.
Bug summary
I saw that the problem came during the execution of method 'save' (route : /file-edit/{location}, method: POST, FileEditController) line 89 to 93.
the test (! $this->config->getFileTypes()->contains($extension)) || (Str::startsWith(path::makeRelative($filename, $basepath), '../')) return TRUE -> that's why it don't save my changes and I have the message : You are not allowed to do that.
Specifics
Steps to reproduce
see the description at the beginning of this issue.
Expected result
As in 5.1.12 version, I would have the same behavior: as ROLE_DEVELOPER, I would like to make changes in configuration files and allowed to save it with backend application.
Actual result
For changing configuration, I must use a source editor as PhpStorm or VSCode to directly modify config.yaml file.
I can confirm this as I have the same problem. I am using Bolt 5.1.14, PHP 8.1.9 on Apache local server.
Hi, After researching why my Bolt CMS installation is behaving like this, I see that the lines I listed were added in the pull request: "Prevent renaming or moving files while editing #3295" . I do not doubt the usefulness of this modification, but I note an undesirable effect whatever the role of the administrator (ROLE_ADMIN or ROLE_DEVELOPPER), it is impossible with the interface, to modify the parameters of the application.
I've looked into this, and it turns out the solution is quite simple: add yaml to the accept_file_types in config/bolt/config.yaml
PR incoming, to set this as default.
