Skip to content

[6.x] Update authorization / permissions #11516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
Mar 13, 2025
Merged

[6.x] Update authorization / permissions #11516

merged 29 commits into from
Mar 13, 2025

Conversation

duncanmcclean
Copy link
Member

@duncanmcclean duncanmcclean commented Feb 28, 2025
edited by jasonvarga
Loading

This pull request:

  • Only applies our auth logic to Statamic permissions, which prevents us from interfering with custom auth gates.
  • Moves our auth logic from Gate::before to after, enabling users to more easily deny access to things.
  • Adds super user checks to before in most Statamic policies to continue to avoid overhead when users are super.

Closes #8337.
Closes #10832.

@duncanmcclean
Only perform super user check in Gate::before() when ability is a S…
7aa69fa 
…tatamic permission
@duncanmcclean
Ensure permissions are booted before authorization is handled
39a696e 
Otherwise, when the `Authorize` middleware checks if the user has access to the CP, `Permission:all()` in the `Gate::before()` closure won't return any permissions as they haven't been booted yet.
@duncanmcclean
Remove commented out dd() from middleware 😄
f34eafa
@duncanmcclean
Add super user check to the before method in authorization policies.
639a059
@duncanmcclean
Ensure permissions exist, otherwise the super user check will fail.
8fa1c6b
@duncanmcclean
Move the middleware back to where they were originally.
1b91834
@duncanmcclean
Boot permissions in Gate::before() method...
7770675 
Until I figure out a better solution. 🤔
@duncanmcclean
Update an existing test
1995374 
Since there's no `DroidsClass` policy, I've updated this test to authorize using a permission instead, which'll work.
@duncanmcclean
Fix super authorization in AssetFolderPolicy
b365909
duncanmcclean
duncanmcclean commented Feb 28, 2025
View reviewed changes
@duncanmcclean duncanmcclean marked this pull request as ready for review March 6, 2025 15:25
jasonvarga
jasonvarga requested changes Mar 6, 2025
View reviewed changes
@duncanmcclean duncanmcclean force-pushed the super-user-authorization branch from 1136551 to 88e702f Compare March 7, 2025 12:46
@duncanmcclean duncanmcclean requested a review from jasonvarga March 7, 2025 16:13
@jasonvarga
Merge branch 'master' into super-user-authorization
7abb312
@jasonvarga
Test for booting once
de15f90
@jasonvarga
nitpick
f59a7e4
@jasonvarga
Add gate tests
0803113
@jasonvarga
Add a flattened method and use that to check if a given permission is…
99d8acf 
… a statamic one
@jasonvarga
fix test failures ...
ca39b67 
Since more stuff gets evaluated now (all the permissions are compiled) all the sites will be looped over. Many tests were setting up sites without explicit names. They don't really need them so here the site name will fall back to the handle.
@jasonvarga
Copy link
Member

Since we're checking whether an ability is a Statamic one, I had to add a way to get all the resolved permissions. The Permission::all() you had there wouldn't work since it would include placeholders. e.g. edit {collection} entries. The ability passed would be edit blog entries. Permission::flattened() will now resolve all of them.

@jasonvarga jasonvarga changed the title [6.x] Re-work super user authorization check [6.x] Update authorization / permissions Mar 13, 2025
@jasonvarga jasonvarga merged commit a8726dd into master Mar 13, 2025
19 checks passed
@jasonvarga jasonvarga deleted the super-user-authorization branch March 13, 2025 15:23
This was referenced Mar 13, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonvarga jasonvarga Awaiting requested review from jasonvarga

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@duncanmcclean @jasonvarga