Omit `PageRegion` representation from `ApiLayoutController::get()`, 403 if sending it in `::patch()` or `::post()`

Created on 1 April 2025, 1 day ago

Overview

Technically blocked on 📌 Add access control for "code components" and "asset libraries", special case: instantiated code components must be accessible to *all* Active , but work can begin ahead of that landing: because that will simply change the admin_permission of the PageRegion config entity type.

Proposed resolution

  1. ApiLayoutController::(get|patch)() must omit PageRegion component trees from the response by modifying ::addGlobalRegions() → no regions will appear in the XB UI
  2. ApiLayoutController::(patch|post) must validate that no component instances that are being modified are stored in a PageRegion config entity (a malicious user might try to bypass the above omission, or it might just be that the permissions for the user changed since they started editing)
  3. BUT we must ensure that a user who does not have the PageRegion admin_permissions still sees the rendered regions; without having access to manipulate them. This likely requires changes to ::buildPreviewRenderable()
  4. All of the above likely results in some refactoring of ::addGlobalRegions(), ::buildPreviewRenderable() etc. to be beneficial.

Out of scope:

User interface changes

Page regions no longer appear in the XB UI for users without the necessary permissions.

📌 Task
Status

Active

Version

0.0

Component

Internal HTTP API

Created by

🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024