Unclear effect of "Edit any page" content permission

[raissanorth]

Overview

(Ingo's update on this ticket): It's unclear how "edit any page" permissions work, we need a better UX and messaging for this.

Affected Version

silverstripe/framework 4.x-dev 3b7802b The SilverStripe framework

Description

A user with access to Pages, but no content permissions is able to edit, save, delete, and publish Pages as well as Blocks.

See the permissions assigned to my user:

Steps to Reproduce

1. Create a security group with the permissions stated above.
2. Create a member and assign that member to the just created security group.
3. Navigate to an existing page (or page containing an elemental area and elements), try adding content and hitting the save button.
4. A success toast notification pops up. The content has been changed. Observe this changes within the CMS and in the database records.
5. Repeat step 3-4 by clicking the publish button.
6. Repeat step 3-4 by clicking archive and publish from the action menu.

[chillu]

Thanks for the clear bug report! I think this is a misunderstanding in how the functionality works. "Edit any page" (code: SITETREE_EDIT_ALL) is an override which bypasses any other permission checks. The actual page editing permissions are controlled through the "Settings" panel in SiteConfig, and then inherited down through the page tree structure.

@clarkepaul Can you put this on your radar to reword? I know there's a lot we should change around the UX for permission setting, but for now mentioning that distinction is a good first step?

[clarkepaul]

Already on our radar, most of it captured here https://github.com/silverstripe/silverstripe-framework/issues/4861 . This got my attention about a month ago when I had to do a demo of the permissions and couldn't figure it out myself :/ .

[newleeland]

This may be resolved in #8620 together with other CMS permission issues as a holistic solution

[chillu]

OK, closing in favour of the two referenced tickets.