spAnser
commented
8 years ago Might have missed some parts when designing the user group exporting. This fix might end up being part of the migration update.
Closed steverowling closed 8 years ago
spAnser
commented
8 years ago Might have missed some parts when designing the user group exporting. This fix might end up being part of the migration update.
spAnser
commented
8 years ago Should be part of the latest commit on the hotfix branch if you want to test it out.
steverowling
commented
8 years ago Just tested the hot-fix/1.5.4 branch.
The categories are now exporting with handles rather than ids now, thanks.
However, I've now noticed that the createSubfoldersInAssetSource permission is not linked to the assetSources part of the JSON, but instead appears in the sections part. Example below:
{
"userGroups": [
{
"name": "Test Group",
"handle": "testGroup"
}
],
"userGroupPermissions": [
{
"handle": "testGroup",
"permissions": {
"general": [
"registerUsers",
"assignUserPermissions",
"administrateUsers",
"editUsers",
"editLocale:en_gb_site1",
"editLocale:en_gb_site2"
],
"assetSources": {
"acUserTaskFiles": [
"uploadToAssetSource",
"removeFromAssetSource",
"viewAssetSource"
]
},
"sections": {
"0": [
"createSubfoldersInAssetSource"
]
},
"categories": {
"acCustomCategories": [
"editCategories"
]
}
}
}
]
}Didn't see you were online on craft slack so pushed the version thinking you would check tomorrow.
I started a new hotfix branch fixing this.
When exporting User Groups, the permissions relating to category groups refer to the ids of the category groups. This is obviously dependent on adding category groups in the same order in installs that you wish to transfer User Group permissions between. This is inherently problematic as the chances of this happening are very slim.
Since fields and sections use handles when importing/exporting, they don't suffer from this vulnerability. Would it be possible to use the same technique for User Group permissions too?