neos-development-collection icon indicating copy to clipboard operation
neos-development-collection copied to clipboard

Published 20 hours ago verified publisher icon neos

Workspace Module: A restricted editor is able to click on publish selected changes to live and gets raw exceptions back

Open mhsdesign opened this issue 3 years ago • 4 comments

  1. go to a (non live) workspace with changes as an restricted editor

  2. observe, that as expected only Discard all changes is visible and the button Publish all changes to live is not shown for editor without access to live

  3. select a change, and notice the unexpected Publish selected changes button image

  4. ensure youre alone, close the curtains and secretly hit this ominous button.

  5. get a raw exception back image

expected behavior:

the in step 3 shown button is not show, if the editor has no access.

Neos 7.3.1

mhsdesign avatar Feb 16 '22 13:02 mhsdesign

Hmm, tried to reproduce that with Neos 5.3, and it does not have this issue :/

Screenshot 2022-02-16 at 15 27 35

markusguenther avatar Feb 16 '22 14:02 markusguenther

it seems youre only at step 2,

select the checkbox please;) (step 3)

mhsdesign avatar Feb 16 '22 14:02 mhsdesign

The problem is here: https://github.com/neos/neos-development-collection/blob/master/Neos.Neos/Resources/Private/Templates/Module/Management/Workspaces/Show.html#L189

The publish button has a "disabled" property if canPublishToBaseWorkspace is false, which is correct.

However, in the JavaScript code above, this attribute is removed as soon as a checkbox is clicked:

https://github.com/neos/neos-development-collection/blob/master/Neos.Neos/Resources/Private/Templates/Module/Management/Workspaces/Show.html#L118 https://github.com/neos/neos-development-collection/blob/master/Neos.Neos/Resources/Private/Templates/Module/Management/Workspaces/Show.html#L148

My suggestion would be to remove the "publish selected changes" button completely if you're not allowed to publish anyway. What sense does it make to unhide a link that is still disabled?

lorenzulrich avatar Feb 23 '22 09:02 lorenzulrich

funny found a duplicate: https://github.com/neos/neos-development-collection/issues/1507

@lorenzulrich thanks for digging into it - i think its a better ux to show all technical possible actions but hide them on demand...

im wondering why we then remove those classes ... hard to read this lovely dom manipulation code

mhsdesign avatar Jul 19 '22 16:07 mhsdesign

funny found a duplicate: #1507

The other issue also states, that it is possible to call publish actions from the content view of Neos. Does this still apply? If not, we should add it here (as the other issue is now closed).

Benjamin-K avatar Nov 25 '22 11:11 Benjamin-K

This was fixed lately in the ui if i recall correctly.

Thanks @Benjamin-K for hint tough!

mhsdesign avatar Nov 25 '22 12:11 mhsdesign

Could reproduce it

SCR-20230128-jea

crydotsnake avatar Jan 28 '23 12:01 crydotsnake