BertKooij
commented
6 years ago Left a few inline comments, but also want to discuss the way the conditions are applied in get_versions/getlist... the logic seems quite complex, primarily due to the check for access_resource_group_enabled causing 3 different scenarios to be needed. It also only checks resource groups and not, say, context permissions, so I'm wondering if this is the best approach. It is pragmatic (better than no check at all) and should be fairly performant though, so, a pretty good start. ~ @Mark-H
Indeed, it looks a bit complex. I'm also not 100% convinced this will cover all the possibilities for restricting access to a resource. It is primarily based on the findPolicy method inside the ModResource object of MODX and than rewritten for using joins: https://github.com/modxcms/revolution/blob/2ad1f763a32afd28fd5b89e7f0ba5ceaa26bfad1/core/model/modx/modresource.class.php#L829.
MODX is using this for example for receiving the resource tree. But this iterates over all resources before deciding whether the user has access. Using this with VersionX2 will make things a lot slower (and messier).
Have you looked at using the $obj->checkPolicy method on modAccessibleObject instances? We'd need to grab the modResource object (if it still exists) but then VersionX would support any type of policy. ~ @Mark-H
This part is interesting, will check it later. Not having a 100% guarantee for having the corresponding ModResource makes it pretty difficult though. A edge-case would be having a restricted resource which is later removed. In that case it would not be possible to determine whether the user can access the version at all. Maybe a version should be kept of modResourceGroupResource as well ;)
I will spend a bit of time in the next few days on this PR.
Mark-H
This PR will fix #101. The resource will be checked against access through the resource group.