search

verbb / workflow

A Craft CMS plugin to create a workflow for publishing entries.
Other
140 stars 27 forks source link

Reviewer can't approve/reject from entry page when permissions are missing, but still can from the submission list #184

Open uandco opened 1 year ago

uandco commented 1 year ago

Describe the bug

I had forgotten to set the permission Save other users’ drafts on my a reviewer.

When viewing an entry requiring approval as this reviewer, the comment/approve/reject section would show up as normal but none of the buttons would work (nothing happened at all when clicking, no XHR request, no JS error, just as if the click event was disabled).

From the workflow submissions list, the same user could still approve/reject though.

I reckon it comes from how Craft handles the sidebar, and would prevent anything to be modified from the entry page if the user attempting the change doesn't have the permission to do so.

I'm not sure what's the best fix for this. Either bypass the check and still allow the approve/reject, or not show the comment/approve/reject section at all, or display a warning message mentioning higher permissions are needed (I would go with that one).

Steps to reproduce

  1. Do not set the Save other users’ drafts permission for entries (for example pages) on the reviewer group
  2. Create a user (we'll call it "user B") in that group
  3. Create a new draft with user A (author)
  4. Submit the draft for review
  5. Review the draft with User B
  6. Click the entry
  7. Try to click "Accept" or "Reject" in the review box, beloew "Comments"

Craft CMS version

Craft Pro 4.3.7.1

Plugin version

2.0.3

Multi-site?

No

Additional context

No response

engram-design commented 1 year ago

Hmmm, now that is indeed tricky. In that scenario, there's a "Save" or "Apply" button on the top-right of the page to save the entry (without Workflow factored in at all), due to the permissions for the user. This is because they can't do anything with the entry, but Workflow should probably be aware of that.

I think if anything, maybe the Workflow panel shouldn't be shown in this scenario as you can't do anything meaningful. We should also probably be adding a check to approval process on the Workflow area as well.