Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with read-only role can restore revisions #10279

Closed
faltjo opened this issue Jun 10, 2024 · 0 comments · Fixed by #10314
Closed

User with read-only role can restore revisions #10279

faltjo opened this issue Jun 10, 2024 · 0 comments · Fixed by #10314
Labels
permissions revisions

Comments

@faltjo
Copy link
Contributor

faltjo commented Jun 10, 2024

Bug description

When logging in as user which has read-only rights on some specific collection and opening an entry of this collection, all fields are marked as read-only, which is fine. However, the user can restore previous revisions.

I would expect, that the user can see and examine previous revisions, but not restore them, e.g. the restore button in the 'revision overlay' could be disabled.

How to reproduce

  1. Create a new entry in some specific collection.
  2. Make sure the entry has multiple revisions.
  3. Create a role which only grants access to the CP (access cp) and read access (view {collection_name} entries) of the specific collection.
  4. Create a new user and assign the previously created role to it.
  5. Log in as the new user and open the previously created entry.
  6. Try to restore a previous revision (click 'View history' on the right panel -> select a revision -> click 'Restore' button in the top right corner -> confirm by clicking the popup's 'Restore' button)
  7. Toast in the left lower corner says 'Revision restored' and the entry has the state of the selected revision.

Logs

No response

Environment

Environment
Laravel Version: 11.8.0
PHP Version: 8.3.7
Composer Version: 2.7.6
Environment: local
Debug Mode: ENABLED
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: pusher
Cache: redis
Database: pgsql
Logs: stack / daily
Mail: ses
Queue: sync
Session: file

Livewire
Livewire: v3.4.12

Statamic
Addons: 4
Sites: 1
Stache Watcher: Disabled
Static Caching: Disabled
Version: 5.5.0 PRO

Statamic Addons
rias/statamic-address-field: 1.3.0
rias/statamic-redirect: 3.7.1
statamic-rad-pack/meilisearch: 3.3.0
statamic/eloquent-driver: 4.0.0

Statamic Eloquent Driver
Asset Containers: file
Assets: file
Blueprints: file
Collection Trees: eloquent
Collections: file
Entries: eloquent
Forms: file
Global Sets: file
Global Variables: file
Navigation Trees: eloquent
Navigations: file
Revisions: eloquent
Taxonomies: file
Terms: file

Installation

Existing Laravel app

Additional details

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
permissions revisions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[5.x] Hide "Restore Revision" button when user is missing relevant permissions statamic/cms
2 participants
@duncanmcclean @faltjo