This concept describes the current state of permission-based configuration - or lack thereof - for enabling/disabling actions (or any other UI element) based on specific access restrictions.
Decisions are marked with a icon.
Concept is ready for implementation, both for 5.2.x and for a future major version.
Problem
One can restrict (action) availability based on user roles, but not based on user permissions at given workspace / path.
Concrete case
As of Magnolia 5.2.1, actions are not disabled if user has no permission to act on selected node. This is an issue with e.g. read-only pages, as captured by the following Jira ticket:
MGNLUI-2510 - Getting issue details... STATUS
Current configuration
Let's take the deactivation action as an example, with following base path /modules/pages/apps/pages/subApps/browser/actions.
- actions
- deactivate (
ActionDefinition
)- availability (
AvailabilityDefinition
)- access ($webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") AccessDefinition)
- roles
- demo-publisher = demo-project-publisher
- superuser = superuser
- roles
- ruleClass = info.magnolia.ui.api.availability.IsNotDeletedRule (
AvailabilityRule
)
- access (
- class = info.magnolia.ui.framework.action.DeactivationActionDefinition
- ...
- availability (
- deactivate (
As a side note, the AccessDefinition property is named access in the case of actions but it is generally named permissions, as in AppDescriptor or AppLauncherGroupDefinition.
This has been reported to be misleading, in particular in documentation, and should be inlined whenever is appropriate.
Decisions
1. Configuring permission checks in availability
Add a requiredPermissions property under AvailabilityDefinition or AccessDefinition- comma separated list of JCR permissions (aka action strings)
- add_node, set_property, remove, read
- we should rather use Magnolia permissions
- doesn't fit for upcoming custom permissions
- naming is debatable (permissions > requiredPermissions)
- comma separated list of JCR permissions (aka action strings)
Add a writePermissionRequired boolean property under AvailabilityDefinition or AccessDefinition- simply checks for Magnolia WRITE permission
- which entry point? cannot use PermissionUtil
- for custom permissions, people will need to implement AvailabilityRule
- We unify availability's access, ruleClass and other criteria using voters, in a future major version
- supports custom permissions (forum), even non-JCR based, using dedicated voters
- Do we keep availability's "shorthands"?
- nodeTypes, root, properties...
- yet update underlying implementation to work with voters
- For 5.2.x, we introduce a delegating AvailabilityRule which helps us already start working with voters
getting well prepared for migrating to the next approach
2. The add_node permission with subnodes-only ACLs
- with /A readonly and /A/B/* read-write, add_node is not granted on /A/B
- JCR spec is a bit unclear as to what absPath means in that case
- adding a node at absPath VS. adding a node under absPath
- 4.5 behaves the same in similar subnodes-only permissions
- Current behavior is actually correct against JCR permissions
- add, move, reorder all require write permission on parent node
3. ActionExecutor is responsible for availability checks
- Currently hooking in AbstractActionExecutor#isAvailableForItem
- item is null when root is selected, no way to assess permissions then
- #isAvailable() is (the sole) JCR Item dependent api in ActionExecutor interface and doesn't belong here
- We keep this as a separate topic, not for 5.2.x anyway
Forward thinking
- Availability / AccessDefinition is a broad concept meant to be reused across several UI components (e.g. fields, tabs, templates).
- Can one configure custom permissions for an action? e.g. forum moderator can only perform moderation at specific path
- Can one plug basic permission rules for non-JCR datasources (no ACLs)?
ActionExecutor is probably not where availability / permission checks belong.