Users with lesser permissions cannot preview a page

Created on 1 July 2025, 4 days ago

Overview

If the user cannot edit config (asset library, code components) the preview does not render. That is because the preview gets those config from auto-save which requires `edit` permission. The GET routes should use `.view`.

Proposed resolution

Example of our fix

    $collection->get('experience_builder.api.config.auto-save.get.js')
      ?->setRequirement('_entity_access', 'xb_config_entity.view');
    $collection->get('experience_builder.api.config.auto-save.get.css')
      ?->setRequirement('_entity_access', 'xb_config_entity.view');

User interface changes

πŸ› Bug report
Status

Active

Version

0.0

Component

… to be triaged

Created by

πŸ‡ΊπŸ‡ΈUnited States mglaman WI, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mglaman
  • πŸ‡ΊπŸ‡ΈUnited States effulgentsia

    "view" as the entity operation makes sense, but I think if we do that, we need to also make sure that the access handler uses a permission like "view unpublished" or "view latest version" (see Content Moderation for reference) if the entity is the one that's in auto-save.

  • πŸ‡ΊπŸ‡ΈUnited States mglaman WI, USA

    The problematic entities were config entities which don't support revisions. Not the actual entity being edited itself. I don't know if this effects regular conponen config for SDCs

  • πŸ‡ΊπŸ‡ΈUnited States mglaman WI, USA

    Flagging for tests. There must be existing tests that have missing coverage.

Production build 0.71.5 2024