- Issue created by @wim leers
Technically blocked on
📌
Add access control for "code components" and "asset libraries", special case: instantiated code components must be accessible to *all*
Active
, but work can begin ahead of that landing: because that will simply change the admin_permission
of the PageRegion
config entity type.
ApiLayoutController::(get|patch)()
must omit PageRegion
component trees from the response by modifying ::addGlobalRegions()
→ no regions will appear in the XB UIApiLayoutController::(patch|post)
must validate that no component instances that are being modified are stored in a PageRegion
config entity (a malicious user might try to bypass the above omission, or it might just be that the permissions for the user changed since they started editing)PageRegion
admin_permissions
still sees the rendered regions; without having access to manipulate them. This likely requires changes to ::buildPreviewRenderable()
::addGlobalRegions()
, ::buildPreviewRenderable()
etc. to be beneficial.Out of scope:
Page regions no longer appear in the XB UI for users without the necessary permissions.
Active
0.0
Internal HTTP API
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.