Revolution: More ACLs listed as available
Bug report
Summary
Some ACLs are listed as having more ACLs than are actually available.
Step to reproduce
Open your ACL lists under settings->access-control-lists->access-policies.
Have a look at the very last column ('active permissions). Some rows show entries like "8 of 7" rules.
This seems to effect "content blocks full access", "context", "element", "media source admin", "object".
Expected behavior
7 of 7 should be fine
Environment
MODX version 2.7.1 updated from 2.6.5 (step-by-step).
I'll post more server info if requested.
pepebe
All 6 comments
Current Version is 2.8.1 and this is still an issue:
How can the number of active permissions be higher than the number of available permissions?
Cheers,
Patrick
patrickatwsrn
on 16 Mar 2021
Interesting bug. The answer to the question How? is easy. We have system permissions, which come with MODX during installation, but other extras can add their own under the specific template, and the total value becomes 8 for example, while the system permissions linked only 7.
alroniks
on 16 Mar 2021
Thanks for shedding some light on this mystery.
So the number of "native" permissions is shown in the column as "total", but the actual number can be higher because of third party plugins.
To fix this, we would have to find out how many "potential" permissions we have in each ACL and then list this number as the new total.
This might be tricky...
As time goes by more and more permissions will be added. I now have 11 out of 7 permissions for context.
I'd imagine that this problem wouldn't show up with third party permissions, but this doesn't seem to be the case.
Question: Is this perhaps caused by "abondoned" permissions? Or is there a concept for "hidden" permissions that I'm not aware of?
Apart from the x out of y issue, I believe the "Access Policy tab" should list all available permissions.
I guess it would also be a good idea to list the "source" of each permission in a dedicated column:
The namespace name could be used for this, so standard permissions could use "core", permissions added by extras could be for example "moregallery", "stercseo", etc.
patrickatwsrn
on 16 Mar 2021
Thank you @patrickatwsrn Great explanations and suggestions. Sounds like a plan.
alroniks
on 16 Mar 2021
I have found more examples that seem to be related to this problem.
- load (only)
This permission claims I have 2 out of 5 permissions...
but only one out of 5 is active
- load list and view
This permission claims that I have 4 out of 5 permissions
But I have only 3 out of 5
Sidenote: I wonder how "remove" and "save" fit into the bigger picture of the "object template" load/list/view is based on and what would be usecases to switch them on.
patrickatwsrn
on 17 Aug 2021
BTW: Why is it even possible to add custom permissions to a default policy?
Wouldn't it be better to force a user to create a custom policy (template) and add permissions to this new set?
Modmore does it and I believe this to be a much more transparent and consistent way to handle permissions.
patrickatwsrn
on 17 Aug 2021
Related issues
winformatic
路
4Comments
Ruslan-Aleev
路
3Comments
gadgetto
路
4Comments
alexsoin
路
3Comments
netProphET
路
3Comments