Contrib.social

"Merge folders from multiple profiles" breaks "All permission" inheritance

Open on Drupal.org →
Created on 30 December 2024, 10 days ago

Problem/Motivation

The changes introduced in 2.0.10 and 2.0.11 break the possibilty to use the merge feature with admin like configuration. The "all permissions" just get replaced on sub-folders by the configuration from other roles.

Steps to reproduce

- Create 2 roles which controls the same set of directories and sub-directories. One with limited access and one with "All permissions" set. The admin role just inherits it's permissions from the directory to it's sub-directories. The limited role has custom access per sub-directory configured.
- Check the "Merge folders from multiple profiles" checkbox on configuration page
- Users with the admin role mapped now have limited access due to a wrong merge.

Since I don't fully get into the merge logic from Dfm::mergeFolderConfs I fixed that for me with the alter hook:

/**
 * Implements hook_dfm_conf_alter().
 */
function custom_module_dfm_conf_alter(array &$conf, AccountProxyInterface $user) {
  $all_dir_name = NULL;
  foreach ($conf['dirConf'] as $dir_name => $dir_config) {
    $dir_parts = explode('/', $dir_name);
    if (count($dir_parts) === 1) {
      // In case the all permission is given, don't merge, just inherit it.
      if (isset($dir_config['perms']['all']) && $dir_config['subdirConf']["inherit"] == TRUE && $dir_config['perms']['all'] == 'all') {
        $all_dir_name = $dir_name;
        break;
      }
    }
  }

  if ($all_dir_name) {
    foreach ($conf['dirConf'] as $dir_name => &$dir_config) {
      $dir_parts = explode('/', $dir_name);
      if ($dir_parts[0] == $all_dir_name) {
        $dir_config['perms'] = [];
        $dir_config['perms']['all'] = TRUE;
      }
    }
  }
}

This solution only works for top-level directories and should be seen as a workaround, not a solution :)

🐛 Bug report
Status

Active

Version

2.1

Component

Code

Created by

🇩🇪Germany Hydra

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Hydra
  • Comment 7 days ago
    System Message
    • ilkay.can committed bac0c81f on 2.x 
      Issue #3496556: Enable bidirectional inheritance during folder merge
  • Comment 7 days ago
    🇬🇪Georgia ilkay.can

    This probably happens because of the incorrect order of your user roles.

    Users with multiple roles get the bottom most profile

    The heaviest profile is used as the base profile and merging is done on top of it. Other profiles inherit permissions from the base profile. Not the other way.

    I guess this role ordering is not something that users pay much attention to and that's why I decided to make folder merging bidirectional in DFM 2.1.1

  • Comment 7 days ago
    🇬🇪Georgia ilkay.can

    Note:
    Bidirectional inheritance breaks "exception" configurations:

    Base profile (gives full access to a folder except for a special subfolder):
    1. /foo (all perms+inheritance)
    2. /foo/bar (list files)

    Other profile (gives full access to the same folder except for another special subfolder)
    1. /foo (all perms+inheritance)
    2. /foo/baz (list files)

    Bidirectional merge will make /foo/bar fully accessible which contradicts the base profile configuration.
    I think there is no perfect merging strategy that covers all cases.

  • Comment 7 days ago
    🇩🇪Germany Hydra

    Probably not, thx for the explanation.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024