Omit `PageRegion` representation from `ApiLayoutController::get()`, 403 if sending it in `::patch()` or `::post()`

Created on 1 April 2025, 1 day ago

Technically blocked on 📌 Add access control for "code components" and "asset libraries", special case: instantiated code components must be accessible to *all* Active , but work can begin ahead of that landing: because that will simply change the admin_permission of the PageRegion config entity type.

ApiLayoutController::(get|patch)() must omit PageRegion component trees from the response by modifying ::addGlobalRegions() → no regions will appear in the XB UI
ApiLayoutController::(patch|post) must validate that no component instances that are being modified are stored in a PageRegion config entity (a malicious user might try to bypass the above omission, or it might just be that the permissions for the user changed since they started editing)
BUT we must ensure that a user who does not have the PageRegion admin_permissions still sees the rendered regions; without having access to manipulate them. This likely requires changes to ::buildPreviewRenderable()
All of the above likely results in some refactoring of ::addGlobalRegions(), ::buildPreviewRenderable() etc. to be beneficial.

Out of scope:

Removing the option in the context menu for a component instance, that's for 📌 Pass current user's XB permissions to the XB UI Active and follow-ups to tackle.

Page regions no longer appear in the XB UI for users without the necessary permissions.

📌 Task

Status

Active

Version

0.0

Component

Internal HTTP API

Created by

🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Comments & Activities

Production build 0.71.5 2024