If user with less/different permissions edits a page after a user with more/different permissions data lost could occur

Created on 21 May 2025, 12 days ago

Overview

Because we store only the changes in the auto-save that were sent back from the client, if a user does not have access to edit a field that has already been edited and saved in the auto-save by another user with permission to edit that field

Proposed resolution

Somehow merge in changes that are already stored in the auto-save but were not sent back from the current client requests.

This overlaps with 📌 [PP-1] Add entity access checks to routes that deal with entities Postponed , need to re-read that issue to figure out exactly how, and which one should be handled first

User interface changes

🐛 Bug report

Status

Active

Version

0.0

Component

Auto-save

Created by

🇺🇸United States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

stable blocker

Comments & Activities

Issue created by @tedbow
Comment 12 days ago →
🇺🇸United States tedbow Ithaca, NY, USA
I need to update the summary more and figure out the relationship to 📌 [PP-1] Add entity access checks to routes that deal with entities Postponed which I also need to review

I tagged this "Needs tests" because someone could actually write a test that confirms the problem even if don't know that actually solution yet.
Comment 12 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
This feels like it should be a beta blocker?
Comment 12 days ago →
🇫🇮Finland lauriii Finland
+1 for this being a beta blocker because of data loss.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024