BUGFIX: Allow to insert node inside not editable content collection (via policy) #3886
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…via policy) The `canEdit` check is evaluated by another privilege - the `EditNodePrivilege` - which is separate from the `CreateNodePrivilege` to allow or disallow node creation. If `EditNodePrivilege` restricts almost all nodes except a few - say headline (by `nodeIsOfType`) - and `CreateNodePrivilege` does the same: only allow to create the headline (by `createdNodeIsOfType`), this policy is correctly enforced via the cr. The Neos ui though is a little to restrictive and allows LESS than what is allowed by the core. The `EditNodePrivilege` would be required to be granted for content collections to be able to insert content. To avoid having to grant this privilege - which comes with the burden of otherwise having to allow content collections AND its subtypes which could be sliders, and to be technically correct, we just dont evaluate the can edit here. The button is still grey-d out if ALL nodes are disallowed by policy see: https://github.com/neos/neos-ui/blob/2597ffef66f7901569b865e35ea634a941b50a7b/packages/neos-ui-redux-store/src/CR/Nodes/selectors.ts#L292-L299 This behaviour has been since the introduction of Neos Ui policy evaluation: #1282 Though inside a commit shows that during the development the behavior was changed: 72b2614#diff-8b6869be808b6aad3e3ac19f6312c029d54112eb72aa09ffd757e4a7a686bcefR200 I can only assume that in "Enforce EditNodePrivilege for inline editing" the use of the `canEdit` flag was added to restrictive.
|
For now ill be patching this like so: Patch to allow writing policies allowing to create content inside of a content collection
The Neos Ui requires for that that the content collection is editable. But that is wrong and too restrictive than the core actually is.
As its cumbersome to patch the bundled Neos Ui javascript, this patch allows for a new method `isExactlyContentCollection` that can be
used instead of `nodeIsOfType(["Neos.Neos:ContentCollection"])` as this would do inheritance checks in the edit node privilege.
See also BUGFIX: Allow to insert node inside not editable content collection (via policy) https://github.com/neos/neos-ui/pull/3886
diff --git a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php
index aba4e98892..333e71bc7e 100644
--- a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php
+++ b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php
@@ -142,6 +142,14 @@ class NodePrivilegeContext
return false;
}
+ public function isExactlyContentCollection(): bool
+ {
+ if ($this->node === null) {
+ return true;
+ }
+ return $this->node->getNodeType()->getName() === "Neos.Neos:ContentCollection";
+ }
+
/**
* Matches if the selected node belongs to one of the given $workspaceNames
* |
Sebobo
approved these changes
Apr 1, 2025
markusguenther
approved these changes
Jun 15, 2025
markusguenther
deleted the
bugfix/do-not-require-EditNodePrivilege-when-inserting-child-nodes
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
canEditcheck is evaluated by another privilege - theEditNodePrivilege- which is separate from theCreateNodePrivilegeto allow or disallow node creation.If
EditNodePrivilegerestricts almost all nodes except a few - say headline (bynodeIsOfType) - andCreateNodePrivilegedoes the same: only allow to create the headline (bycreatedNodeIsOfType), this policy is correctly enforced via the cr. The Neos ui though is a little to restrictive and allows LESS than what is allowed by the core. TheEditNodePrivilegewould be required to be granted for content collections to be able to insert content. To avoid having to grant this privilege - which comes with the burden of otherwise having to allow content collections AND its subtypes which could be sliders, and to be technically correct, we just dont evaluate the can edit here.The button is still grey-d out if ALL nodes are disallowed by policy see:
neos-ui/packages/neos-ui-redux-store/src/CR/Nodes/selectors.ts
Lines 292 to 299 in 2597ffe
This behaviour has been since the introduction of Neos Ui policy evaluation: #1282
Though inside a commit shows that during the development the behavior was changed:
72b2614#diff-8b6869be808b6aad3e3ac19f6312c029d54112eb72aa09ffd757e4a7a686bcefR200
I can only assume that in "Enforce EditNodePrivilege for inline editing" the use of the
canEditflag was added to restrictive.What I did
How I did it
How to verify it