[WIP] Issue #27: Fix permissions #29
Conversation
donquixote
force-pushed
the
issue-27-fix-permissions
branch
from
24d8c60
to
dc42d13
Compare
src/Cool/CoolRequest.php
Outdated
|
|
||
| if (!$res) { | ||
| \Drupal::messenger()->addError(t('Cannot fetch from @url.', ['@url' => $discovery_url])); | ||
| } |
There was a problem hiding this comment.
This actually happened to me all the time and slowed things down.
Not sure if we can safely include it in this PR.
There was a problem hiding this comment.
The question is which version of Collabora Online are you using. I'm currently tracking down an issue with a recent change that the Drupal module seem to trigger. And maybe it is related.
There was a problem hiding this comment.
Whichever version we get from using the 'collabora/code' docker image.
There was a problem hiding this comment.
indeed it's recent enough to have the issue.
If I apply this patch alone with the two extra lines for the SSL verification, it actually solve the problem in CollaboraOnline/online#10042
There was a problem hiding this comment.
I will isolate the patch from this PR, and make a separate PR.
The tests no (longer) depend on the connection to collabora, so it does not impact them.
There was a problem hiding this comment.
Removed from the PR for now.
donquixote
force-pushed
the
issue-27-fix-permissions
branch
2 times, most recently
from
b969749
to
3707404
Compare
collabora_online.module
Outdated
| AccountInterface $account, | ||
| ): AccessResultInterface { | ||
| // @todo Should it make a difference whether a media is published or not? | ||
| // @todo Should a user be allowed to preview/edit a media in Collabora even |
There was a problem hiding this comment.
For regular media access in core:
- With 'administer media' you can do anything.
- (Generic "update any media" and "update media" and others are being faded out, I don't mention them below, see https://www.drupal.org/project/drupal/issues/2925459.)
- (Create and delete are not relevant for us, I don't mention them below.)
- Otherwise:
- To view published media, it needs "view media" permission.
- To view own unpublished media, it needs "view own unpublished media" permission to view.
- To view other people's unpublished media, you need "administer media".
- To update any media (published or not), you need to:
- "edit any media", OR.
- "edit own media", and be the owner.
There was a problem hiding this comment.
This actually reveals a lack in Drupal core.
See https://www.drupal.org/project/drupal/issues/2936652
Currently there are permissions to "edit any media" which also applies to unpublished, and does not require ownership.
But to view the same media, you need to be the owner or have "administer media".
There was a problem hiding this comment.
I am removing these @todo after talking with my colleagues.
In the current iteration, we make no distinction of published vs not published.
Also we treat these operations as isolated from other media operations.
Instead, we could add description to the permission itself.
donquixote
force-pushed
the
issue-27-fix-permissions
branch
from
3707404
to
229c013
Compare
|
Drupal conventions set the indentation level to 2 spaces. |
src/CollaboraMediaPermissions.php
Outdated
| "edit own $type_id in collabora" => [ | ||
| 'title' => $this->t('%type_name: Edit own media file in Collabora', $type_params), | ||
| ], | ||
| "edit any $type_id in collabora" => [ |
There was a problem hiding this comment.
We had internal spec which said "edit all", but "edit any" is more aligned with core permissions.
There was a problem hiding this comment.
Also, "edit any xyz" works better with singular "xyz". With "edit all xyz", xyz would have to be plura.
src/Cool/CoolRequest.php
Outdated
| $res = curl_exec($curl); | ||
|
|
||
| if (!$res) { | ||
| \Drupal::messenger()->addError(t('Cannot fetch from @url.', ['@url' => $discovery_url])); |
There was a problem hiding this comment.
Here I just log the error but then proceed to return false.
The calling code already does have a condition for return value false.
We could improve the error handling in the future.
donquixote
force-pushed
the
issue-27-fix-permissions
branch
from
229c013
to
bcb49de
Compare
|
|
||
| The user role `anonymous` by default disallows editing and is the | ||
| minimal permission for viewing documents in Collabora Online. | ||
|
|
There was a problem hiding this comment.
We can rethink this section. For now I just removed it to avoid confusion.
There was a problem hiding this comment.
Right now it is unclear how these new permissions work. Is it possible to have a short write up here?
donquixote
force-pushed
the
issue-27-fix-permissions
branch
2 times, most recently
from
e154762
to
0972d4a
Compare
How to run the tests.For now I am not adding a phpunit.xml(.dist) file. I personally ran the tests with ddev-drupal-contrib. I assume that Francesco will probably run the tests from a custom project where this module is pulled in as a dependency. So it is up to the developer/reviewer how they want to run the tests. |
src/Controller/ViewerController.php
Outdated
| } | ||
| public function __construct( | ||
| private readonly RendererInterface $renderer, | ||
| ) {} |
There was a problem hiding this comment.
This change simplifies the class by using constructor property promotion.
It is now a bit unnecessary in the final version of the PR, but it made more sense with prior commits in this PR where the constructor parameters were changed. I suggest to keep it.
There was a problem hiding this comment.
you did not do it for CollaboraMediaPermissions
src/Cool/CoolRequest.php
Outdated
| // stream_context_create(), the 'verify_peer' and 'verify_peer_name' | ||
| // options were set. | ||
| // @todo Check if an equivalent to 'verify_peer_name' exists for curl. | ||
| CURLOPT_SSL_VERIFYPEER => !$disable_checks, |
There was a problem hiding this comment.
adding
CURLOPT_SSL_VERIFYSTATUS => !$disable_checks,
CURLOPT_SSL_VERIFYHOST => !$disable_checks,seems to work.
There was a problem hiding this comment.
Can you tell me what is different with or without these additions?
I am happy to add it but I like to understand why.
There was a problem hiding this comment.
my setup use self signed certificates (it's local to my workstation) and without these two option it go through.
I think maybe of the two just CURLOPT_SSL_VERIFYHOST is needed (it doesn't work without,a nd removing CURLOPT_SSL_VERIFYSTATUS seems to be fine). It seems to be the equivalent of verify_peer_name.
There was a problem hiding this comment.
Actually it should be
CURLOPT_SSL_VERIFYHOST => $disable_checks ? 0 : 2,as per https://www.php.net/manual/en/curl.constants.php#constant.curlopt-ssl-verifyhost
src/CollaboraMediaPermissions.php
Outdated
| /** | ||
| * Provides permissions for Collabora per media type. | ||
| * | ||
| * This class is registered in collabora_online.permissions.yml. |
src/CollaboraMediaPermissions.php
Outdated
| protected $entityTypeManager; | ||
|
|
||
| /** | ||
| * MediaPermissions constructor. |
There was a problem hiding this comment.
| * MediaPermissions constructor. | |
| * CollaboraMediaPermissions constructor. |
There was a problem hiding this comment.
oops lazy copy paste.
Personally I like just "Constructor." but ok for me.
See https://www.drupal.org/project/coding_standards/issues/3457897 which has different opinions.
There was a problem hiding this comment.
I checked core and oe_* modules. We have a mix of "Constructs a *** instance" and "*** constructor". I also see the occasional "Constructor." which could have been me and was accepted in a review at the time it happened.
collabora_online.routing.yml
Outdated
| @@ -11,13 +12,16 @@ collabora-online.view: | |||
| edit: | |||
| type: boolean | |||
| requirements: | |||
| _permission: 'access content' | |||
| # Media id must be an integer. | |||
There was a problem hiding this comment.
It's evident from the code, I would not add this comment
src/Controller/ViewerController.php
Outdated
| } | ||
| public function __construct( | ||
| private readonly RendererInterface $renderer, | ||
| ) {} |
There was a problem hiding this comment.
you did not do it for CollaboraMediaPermissions
src/Controller/WopiController.php
Outdated
| \Drupal::logger('cool')->error('Token and user permissions do not match.'); | ||
| return static::permissionDenied(); | ||
| } | ||
|
|
||
| $user_picture = $user->user_picture->entity; | ||
| $user_picture = $user->user_picture?->entity; |
There was a problem hiding this comment.
I might actually split it out of the PR.
src/Cool/CoolRequest.php
Outdated
| 'verify_peer_name' => !$disable_checks, | ||
| ]]); | ||
| $res = file_get_contents($discovery_url, false, $stream_context); | ||
| // Previously, file_get_contents() was used to fetch the discovery xml data. |
There was a problem hiding this comment.
let's have a clean PR only with stuff related to our issue
There was a problem hiding this comment.
yeah, see comments below.
It first seemed necessary to make things work, but now we can skip it.
There was a problem hiding this comment.
Also, the problem was addressed in COOL so it shouldn't be necessary per see.
| $media = $items->getEntity(); | ||
| if (!$media instanceof MediaInterface) { | ||
| // The formatter is being used on the wrong entity type. | ||
| // @todo Log this. |
There was a problem hiding this comment.
todos become wont dos, think its better to have these todos grouped in issues
There was a problem hiding this comment.
There will need to be an issue about error handling, then we can clean this up.
To me, the @todo indicates that the code as it is now is not intentionally this way but because we did not have the capacity or scope to do it properly.
But I can drop it.
There was a problem hiding this comment.
| * New media entity. | ||
| */ | ||
| protected function createMediaEntity(string $type, array $values = []): MediaInterface { | ||
| file_put_contents('public://test.txt', 'Hello test'); |
There was a problem hiding this comment.
use \Drupal::service('file_system')->copy(
There was a problem hiding this comment.
We are not copying, we just put file content.. to copy we have to put an example file. or maybe use one that already exists.
There was a problem hiding this comment.
yes, I would go with the whole sh'bang, put a fixtures folder under test etc etc
There was a problem hiding this comment.
I actually find a bunch of file_put_contents('public://' . in core tests.
I would prefer to keep this simple snippet unless you can point out what could possibly go wrong.
tests/src/Functional/AccessTest.php
Outdated
| * @return array | ||
| * Report to compare against in assertions. | ||
| */ | ||
| protected function buildAccessReport(array $paths, array $users): array { |
There was a problem hiding this comment.
this is too cryptic for me (and prob most people), in the test I need to see clearly that role x and y have or not permission for routes. I can guess what this '/cool/view/<document>' => ['reader', 'editor'], means but dont really know until I compare what buildAccessReport is actually composing
There was a problem hiding this comment.
The benefit of the "compare big array" is that you see in one big overview what you need to fix.
if we do separate assertions, we only see the first failure which would say "user x has no access to path y".
knowing which users have access and which don't is quite useful for troubleshooting.
Could we resolve this confusion with comments or improved assertion message?
Or is the problem in the "magicalness" of the buildAccessReport()?
There was a problem hiding this comment.
magicalness yes, need to be more readable without debuging
| /** | ||
| * Tests a scenario where specific permissions are given to users. | ||
| */ | ||
| public function testCollaboraMediaPermissions(): void { |
There was a problem hiding this comment.
you could rather build a simpler test that receives data from a yeilding function (doesn't need to be marked as a provider, we can just loop)
donquixote
force-pushed
the
issue-27-fix-permissions
branch
from
0972d4a
to
e0a2c08
Compare
| ], | ||
| $accounts, | ||
| $paths, | ||
| ); |
There was a problem hiding this comment.
@drishu I think this is simpler, is it not?
| $media = \Drupal::entityTypeManager()->getStorage('media')->load($id); | ||
| if (!$media) { | ||
| // @todo Use default mechanism for access denied response. | ||
| return static::permissionDenied(); |
donquixote
force-pushed
the
issue-27-fix-permissions
branch
3 times, most recently
from
5ceeeac
to
d34d7d0
Compare
|
@hfiguiere or whoever wants to merge this: |
| use Drupal\Tests\media\Traits\MediaTypeCreationTrait; | ||
| use Drupal\Tests\TestFileCreationTrait; | ||
| use Drupal\user\Entity\Role; | ||
| use Drupal\user\PermissionHandlerInterface; |
There was a problem hiding this comment.
Most of the classes aren't used, please removed unused.
| * {@inheritdoc} | ||
| */ | ||
| protected static $modules = [ | ||
| 'media', |
There was a problem hiding this comment.
Not needed since its a module dependency.
Will be added on install.
|
Changes about permissions are ready @hfiguiere |
|
|
||
| /* Make sure that the user is a collaborator if edit is true */ | ||
| $edit = $edit && $permissions['is_collaborator']; | ||
|
|
There was a problem hiding this comment.
How do we check about the write permission? The code above make sure that if you get an "editor" but don't have write permission as per drupal, then you get bounced back to a read-only. It also reject if you don't have viewing permission. This is better than WOPI errors in Collabora online.
There was a problem hiding this comment.
Permissions are set at the entity level and can be found in the collabora_online.module. They handle actions like viewing and editing documents. These permissions are not tied to specific roles, allowing sites to configure which roles can access or modify documents.
This removes noise from following commits.
AaronGilMartinez
force-pushed
the
issue-27-fix-permissions
branch
from
723aebc
to
847f29d
Compare
…upal permissions. Also remove roles configuration which is no longer needed now.
…README.md, for now. A new version of this section may be re-added later.
…n the field formatter.
…on links, instead of regular media access.
…definition for view and edit routes.
…perms and 'edit own'.
…sionDenied(), drop the `@todo` in the controller method.
AaronGilMartinez
force-pushed
the
issue-27-fix-permissions
branch
from
847f29d
to
805efa2
Compare
|
Hi @hfiguiere, added license for the files, and rebased branch. |
No description provided.