Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Main concern: User without editing privileges are still able to edit existing content (no creation or deletion, only editing).
Side effect: With edit permission denied some other functions like image-with-metadata can't be executed (status 403 forbidden). Maybe other side effects may occur when disabling edit permission.
Expected Behavior
Main concern: User without editing privileges are not able to edit existing content.
Side effect: I would expect that this functions are not connected to the edit permission, but the read permission.
Steps To Reproduce
Set privilegeTarget of Neos.Neos:Backend.EditContent on DENY.
Environment
- Neos: 8.3.9
- PHP: 8.2Anything else?
What I've done so far:
The initial approach was to use Sandstorm Neos ACL to allow editing only on specific pages with dynamic rules combined with the Neos.Neos:RestrictedEditor role. Even if a user only gets permission on a specific page he can edit existing content on other pages.
Checking the policies of Neos.Neos:AbstractEditor (parent role of Neos.Neos:RestrictedEditor) there is the privilegeTarget Neos.Neos:Backend.EditContent granted which maybe grant editing privileges globally/for every existing page ignoring the dynamic role. So I set the target to DENY and tested again. Global editing is still possible. I tested this also with users not using a dynamic role, to determine if the problem could come from the Neos ACL package. These users are also still able to edit existing content.
Side effects
The side effects are not very urgent, but occur when disabling Neos.Neos:Backend.EditContent. It's not the main concern but if the editing issue has to be fixed in the privilege Neos.Neos:Backend.EditContent maybe this side effect should be fixed as well.