search

statamic / cms

The core Laravel CMS Composer package
https://statamic.com
Other
3.69k stars 508 forks source link

Unexpected custom CP navigation behavior #9339

Open aerni opened 8 months ago

aerni commented 8 months ago

Bug description

I've got a custom CP navigation in a multi-site setup. In the example illustrated in the video, the user is only authorized to view the primary site. The custom CP section CIVICRM contains collections that are only configured for the secondary site. However, the user can still see the CIVICRM section. He shouldn't be able to see the section, as he doesn't have the permissions to edit the secondary site. Funny enough, the section disappears when visiting the collections route, which is the expected state. But it is visible on all other routes.

https://github.com/statamic/cms/assets/23167701/15f758d9-b4e0-46fd-8c61-9ec904609687

How to reproduce

  1. Create a multi-site with a primary and secondary site
  2. Create a collection for the primary site
  3. Customize the CP navigation with a new section that contains the previously created collection
  4. Create a user with the permissions to only edit the secondary site
  5. Impersonate that user
  6. You now should still see the added CP navigation section, even though you shouldn't.

Logs

No response

Environment

Environment
Application Name: gomagazin
Laravel Version: 10.40.0
PHP Version: 8.2.14
Composer Version: 2.5.5
Environment: local
Debug Mode: ENABLED
URL: go-unity.test
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: statamic
Database: mysql
Logs: stack / single, sentry, flare
Mail: postmark_gounity
Queue: redis
Session: file

Locales
Installed
LaravelLang\Actions\Plugin: 1.4.1
LaravelLang\Attributes\Plugin: 2.9.1
LaravelLang\HttpStatuses\Plugin: 3.8.0
LaravelLang\Lang\Plugin: 13.12.0
Locales Version: 1.9.0
Protected
Publisher Version: 15.0.2

Sentry
Enabled: MISSING DSN
Environment: local
Laravel SDK Version: 3.8.2
PHP SDK Version: 3.22.1
Release: NOT SET
Sample Rate Errors: 100%
Sample Rate Performance Monitoring: NOT SET
Sample Rate Profiling: NOT SET
Send Default PII: DISABLED

Statamic
Addons: 9
Antlers: runtime
Stache Watcher: Enabled
Static Caching: Disabled
Version: 4.44.0 PRO

Statamic Addons
aerni/advanced-seo: 2.4.0
aerni/livewire-forms: 8.1.0
aerni/social-links: 3.1.0
jacksleight/statamic-bard-texstyle: 3.1.4
jonassiewertsen/statamic-jobs: 1.4.0
jonassiewertsen/statamic-livewire: 2.12.0
rias/statamic-redirect: 3.5.0
spatie/statamic-responsive-images: 4.1.1
stillat/relationships: 2.1.3

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

None

Additional details

No response

jasonvarga commented 7 months ago

Can you provide the code you used to add the custom section?

aerni commented 7 months ago

I just used the CP nav builder. This is my preference:

nav:
  reorder: true
  sections:
    top_level: '@inherit'
    content: '@inherit'
    civicrm:
      action: '@create'
      display: CiviCRM
      items:
        'content::collections::events_civicrm':
          action: '@move'
          display: Events
        'content::collections::communities_civicrm':
          action: '@move'
          display: Communities
        'content::collections::personen_civicrm':
          action: '@move'
          display: Personen
        'content::collections::locations_civicrm':
          action: '@move'
          display: Locations
jasonvarga commented 7 months ago

Gotcha. You said custom cp section I thought you mean like nav items for an addon.