enkelmedia / TheDashboard

Magic dashboard for Umbraco
MIT License
41 stars 42 forks source link

Hide nodes that the current User can't access #57

Closed enkelmedia closed 3 years ago

enkelmedia commented 3 years ago

Version 8.0.2 will show recent changes on nodes that the current User can't access.

Scenario:

There will be a performance hit to check permissions for each node in recent list, need to test this and maybe provide a "opt out" setting if needed.

enkelmedia commented 3 years ago

Turns out that we do check permissions using userService.GetPermissions,

How ever this does not take the users startnode into account.

enkelmedia commented 3 years ago

Turns out there is a internal method in Umbraco ContentPermissionsHelper.HasPathAccess used in many places, ie. in the EnsureUserPermissionForContentAttribute used by the ContentService and the ContentTreeControllerBase. There is also user.HasPathAccess() which is also internal.

All of these are internal so it does not help.

Might be that we have to "roll our own", this would mean that there is serveral things to consider:

Update: It looks like the current implementation in regards to permissions works just fine, it will fetch the right permissions based on the Users Groups. The "only" issue is that we're not looking at the start nodes for either Groups or User.

Looks like Umbraco lets any Content Start Node-settings on the User WIN over Group-settings if defined. Ie. one group had access to everything but the User-specific setting made this setting "disappear". But this was only the case when the setting on the User was more "narrow" than the setting on the Group.

Another scenario is two groups with different start-node and one Start node on the User, this rendered all three.

Further more: CurrentUser will only contain startnodes for the user, not the any of it's groups.

We should use Security.CurrentUser.CalculateContentStartNodeIds(Services.EntityService, AppCaches)

Inspiration finns också i ContentPermissionsHelper.IsInBranchOfStartNode()