Repeater access problems for non-superusers

[Toutouwai]

I originally posted this issue at processwire/processwire-issues but have since traced it back to AdminOnSteroids. I can reproduce it on a clean PW 3.0.51 installation with no other modules installed besides AOS.

It's not clear to me how AOS could be causing this, and the issue occurs despite all submodules being disabled, and even when AOS is toggled to disabled using the footer button.

Short description of the issue

Non-superuser roles cannot upload images to an image field inside a Repeater (upload occurs but then thumbnail disappears and image is not retained on save).

Also, non-superuser roles cannot open a nested Repeater item inside a Repeater (endless spinner), and cannot create a new nested Repeater item inside a Repeater (clicking "Add New" has no effect).

If the Repeater system template is edited and the role is explicitly given access then the role may use the Repeater as expected.

Expected behavior

Image and Repeater fields inside a Repeater should be accessible to roles that have edit access to the page the Repeater is on.

Steps to reproduce the issue

1. Create a non-superuser role "editor" and give it page-edit permission.
2. Edit the access tab for the "home" template and specify that edit access is not inherited by children (not sure if this is necessary but that is how my installation is configured).
3. Create an Image field and a Repeater field.
4. Create another Repeater field, and add the Image and Repeater fields from step 3 to it.
5. Create a template and add the Repeater field from step 4. Give the editor role edit access to this template.
6. Create a page that uses the template.
7. Log in as a user with the editor role and test.

Note that if the Repeater system template is edited and the editor role is explicitly given access then the role may use the Repeater as expected. However, once this has been done the access issue cannot be reproduced even after reverting to the "No" option for "Do you want to manage view and edit access for pages using this template?". It's as if changing these settings once is enough to trigger the expected role access that should happen in the first place.

The JS error that comes with the endless spinner and failing "Add New" click:

Uncaught Error: Syntax error, unrecognized expression: {"error":false,"message":"The requested process does not exist"}
    at Function.nt.error (JqueryCore.js?v=1485015048:2)
    at ut (JqueryCore.js?v=1485015048:2)
    at vt (JqueryCore.js?v=1485015048:2)
    at vt (JqueryCore.js?v=1485015048:2)
    at Function.nt [as find] (JqueryCore.js?v=1485015048:2)
    at init.find (JqueryCore.js?v=1485015048:2)
    at init (JqueryCore.js?v=1485015048:2)
    at v (JqueryCore.js?v=1485015048:2)
    at Object.success (InputfieldRepeater.js?v=106-1485015048:229)
    at l (JqueryCore.js?v=1485015048:2)

I don't see any JS error for the images issue.

Setup/Environment

• ProcessWire version: 3.0.51
• (Optional) PHP version: 7
• AOS version: 1.2.3

[rolandtoth]

I wasn't able to reproduce though you haven't specified what templates can the Editor user edit and exactly what permission he has. If I add the repeater to the Home it works fine. My "editor" role has edit-create-add_children permissions.

Any chance that you added the permission "page-edit-created" or "page-publish" to the editor? Once I got a similar issue and that was the culprit. They are available in Permissions - Add new - Predefined permissions. But if it works when AOS is uninstalled then it's probably not this.

[Toutouwai]

The editor role has page-edit permission for the template that has the repeater field. That should be all that is needed to access Page Edit and use the repeater field.

The issue occurs on the "home" template or any other template.

I have set up an online test environment to demonstrate. Will PM you with access details via the forum.

[Toutouwai]

Fixed now, closing...