Block custom permission

rklomp · December 23, 2022, 8:41pm

I am trying to add a custom permission to my block so I can show certain content to specific users only.

What I did so far:
Create a new permission key in package install:

		if (!is_object(\Concrete\Core\Permission\Key\Key::getByHandle('my_custom_permission'))) {
			$pkUploadFiles = \Concrete\Core\Permission\Key\Key::add('block', 'my_custom_permission', t('Custom Permission'), t('Give custom permission to user'), '', '', $pkg);
		}

The new permission is visible in the block permission view, and I have assigned a user to it.
In my block controller view function I try to check the permission, however this will always stay false.

        $b = Block::getByID($this->bID);
      	$pk = \Concrete\Core\Permission\Key\Key::getByHandle('my_custom_permission');
      	$pk->setPermissionObject($b);
      	var_dump($pk->can());

Is there anything I am missing? Should I do this differently?

Running Concrete 8.5.12

mnakalay · December 24, 2022, 11:46am

Just a hunch but maybe try

$permission = new Permissions($b);
var_dump($permission->canMyCustomPermission());

rklomp · December 24, 2022, 4:21pm

Tried that as well. Unfortunately it gives me int(0).

rklomp · December 28, 2022, 12:04pm

This is my current code and I cant figure out why this is not working. Is my custom block permission overridden by a permission from the page?

class Controller extends BlockController{	
        ....
	public function view(){
		$b = Block::getByID($this->bID);
		$bp = new Permissions($b);

		var_dump($bp->canMyCustomPermission());
      ....

EvanCooper · January 6, 2023, 12:03am

When you var_dump just $bp does it show evidence that the custom permission is actually getting loaded? I would imagine that custom permissions get pulled into the block view context but might be worth a look.

rklomp · January 9, 2023, 11:05am

Unfortunately var_dump($bp) will give me an allowed memory size exhausted error.
I will try to setup a dev environment to be able to run xdebug on the running code.

mnakalay · January 9, 2023, 12:18pm

try var_dump_safe($bp) instead

rklomp · January 10, 2023, 9:17pm

I have been digging using xdebug and found the following so far:

Permission/Key/Key->validate() :: Line 566

        $pae = $this->getPermissionAccessObject();
        if (is_object($pae)) {
            $valid = $pae->validate();
        } else {
            $valid = false;
        }

$this->getPermissionAccessObject() returned null, So $pae is null. This resulted in valid set to false.

Digging deeper into this function:

    public function getPermissionAccessObject()
    {
        $targ = $this->getPermissionAssignmentObject();

        return $targ->getPermissionAccessObject();
    }

$targ->permissionObjectToCheck is an instance of Page. Why??

Permission/Assignment/BlockAssignment :: Line 20


    public function setPermissionObject($b)
    {
        $this->permissionObject = $b;

        // if the area overrides the collection permissions explicitly (with a one on the override column) we check
        if ($b->overrideAreaPermissions()) {
            $this->permissionObjectToCheck = $b;
        } else {
            $a = $b->getBlockAreaObject();
            if ($a instanceof SubArea && !$a->overrideCollectionPermissions()) {
                $a = $a->getSubAreaParentPermissionsObject();
            }
            if (is_object($a)) {
                ....
            } else {
                $this->permissionObjectToCheck = Page::getCurrentPage();
            }
        }
    }

$b->overrideAreaPermissions() returns 0. And in the end this causes this function to return Page::getCurrentPage();.

Its strange this is 0 as in the GUI it saus the block overrides the permission.

Also, looking at the database the cbOverrideAreaPermissions for this block is set to 1. So why is overrideAreaPermissions() returning 0?

Clicking the “Revert to Area Permissions” button in the GUI will change this value to 0, and clicking “Override Permissions” will set it to 1.

So why is it not loaded correctly in the Block object?

So, to conclude…
In my controller I run:

$b = Block::getByID($this->bID);

The code in Block/Block.php does not load cbOverrideAreaPermissions from the database as no Collection or Area is provided.
As this is not set, the $b->overrideAreaPermissions() will set it to 0:

    public function overrideAreaPermissions()
    {
        if (!isset($this->cbOverrideAreaPermissions) || !$this->cbOverrideAreaPermissions) {
            $this->cbOverrideAreaPermissions = 0;
        }

        return $this->cbOverrideAreaPermissions;
    }

And thus the permissions will never work

So how to I get it to load this from the database? I could use something like below, but that does not work as I need to provided both the collection and area. How to I know the area?

		$b = Block::getByID($this->bID);
		$c = $b->getBlockCollectionObject();
		$b = Block::getByID($this->bID, $c);

A temporary workaround could be:

		$b = Block::getByID($this->bID);
		$b->cbOverrideAreaPermissions=1;
		$bp = new Permissions($b);

Now var_dump($bp->canMyCustomPermission()); will give int(1).

rklomp · January 11, 2023, 10:31am

I assume this is a bug and created a bug report on github.

github.com/concretecms/concretecms

Block Override Permissions not loaded in BlockController

opened 09:55AM - 11 Jan 23 UTC

rklomp

Type:Bug

### Affected Version of Concrete CMS 8.5.x, 9.x ### Description When bl…ock permissions are set to override area and page permissions, these permissions are not loaded correctly in the BlockController. If you run [`$this->getPermissionObject()`](https://github.com/concretecms/concretecms/blob/develop/concrete/src/Block/BlockController.php#L250-L255) it loads the block by using [`Block::getByID()`](https://github.com/concretecms/concretecms/blob/develop/concrete/src/Block/Block.php#L193). As no Collection and Area are passed to the function, the [sql query](https://github.com/concretecms/concretecms/blob/develop/concrete/src/Block/Block.php#L227) will not load the `cbOverrideAreaPermissions` field. When [checking permissions](https://github.com/concretecms/concretecms/blob/develop/concrete/src/Permission/Assignment/BlockAssignment.php#L25) the `cbOverrideAreaPermissions` is set to 0 by [`$b->overrideAreaPermissions()`](https://github.com/concretecms/concretecms/blob/develop/concrete/src/Block/Block.php#L1363). This causes the code to not check any overridden block permissions, but fall back to the page permissions. See also https://forums.concretecms.org/t/block-custom-permission/4739/8 ### How to reproduce Using a custom BlockController in view(): ```php $bp = $this->getPermissionObject(); var_dump($bp->canWrite()); ``` Set block permissions to override and give user edit permissions on the block. (while it does not have page write permissions) A workaround fix: ```php $b = Block::getByID($this->bID); $b->cbOverrideAreaPermissions=1; $bp = new Permissions($b); var_dump($bp->canWrite()); ``` ### Possible Solution _No response_ ### Additional Context _No response_