Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When default/site-wide protect schema is set, Statamic ignores any protect settings on collections and entries #9552

Closed
SteveSplitHands opened this issue Feb 20, 2024 · 0 comments · Fixed by #9607
Closed

When default/site-wide protect schema is set, Statamic ignores any protect settings on collections and entries #9552

SteveSplitHands opened this issue Feb 20, 2024 · 0 comments · Fixed by #9607
Labels
protection

Comments

@SteveSplitHands
Copy link

SteveSplitHands commented Feb 20, 2024
edited
Loading

Bug description

Given a statamic site, if you edit config/statamic/protect.php to have a default schema, the protect setting on individual entries is ignored. I should be able to define a default schema and then be able to override it on a per-entry/collection basis.

For the site I am working on, I want all pages to require being logged in. But some pages, not only do I want you to be logged in, but to also have a specific role to see it. So I set a default schema of logged_in, have create a custom driver that will check for logged in status as well as checking for a specific role on user.

However, once default is set Statamic never executes code in my custom driver and as such allows anyone logged in to access page regardless of roles.

How to reproduce

  1. Set default setting in config/statamic/protect.php to logged_in
  2. On an entry, add protect setting and set to true to allow no one to access entry
  3. While logged in, access entry. It will open.
  4. Go back to protect.php and remove/comment default setting
  5. Go back to entry that you added protect: true to. It will prevent you from accessing it.

Logs

No response

Environment

Environment
Application Name: An App
Laravel Version: 10.37.3
PHP Version: 8.2.10
Composer Version: 2.6.2
Environment: dev
Debug Mode: ENABLED
URL: app
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: statamic
Database: sqlsrv
Logs: stack / single
Mail: smtp
Queue: sync
Session: file

Statamic
Addons: 1
Antlers: runtime
Sites: 1
Stache Watcher: Enabled
Static Caching: Disabled
Version: 4.49.0 PRO

Statamic Addons
stillat/antlers-layouts: 2.0.0

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

Runtime (default)

Additional details

I have investigated where the issue is in Statamic. If I go to vendor/statamic/cms/src/Auth/Protect/Protection.php and look at the function scheme() it appears that it looks for the default config first and if its present, it immediately takes it without looking for anything else.

If I alter this to do look for entry protection schema first with some extra logic to check for null/blank schema and then fall back onto default schema if present, I get the expected behavior.

Here is what I altered the function to look like.

public function scheme()
{
    if ($this->data && $this->data instanceof Protectable) {
        $schemeToUse = $this->data->getProtectionScheme();
        if (isset($schemeToUse)) {
            return $schemeToUse;
        }
    }
   
    if ($default = config('statamic.protect.default')) {
        return $default;
    }

    return null;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
protection
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[4.x] Use protection scheme from data before using site-wide protection scheme statamic/cms
2 participants
@duncanmcclean @SteveSplitHands