Setting contextPermissions via permission Setting

m.hnat · 11 October 2023 15:13

We’re defining some permissions in our config.cfc for different roles. Works so far, members of that role get a 401 when they try to access an object that they shouldn’t.

The object in question is still listed in Data Manager and we would like to hide it entirely from members of that specific group.

We can do this by manually setting the permissions for this group via the admin interface

Is there a way to do this via a setting in Config.cfc so that we don’t have to click through all the objects and manually deny access?

dominic.watson · 11 October 2023 16:19

I think this could/should be done entirely through roles. You have a single, or multiple roles that grant various access to various permissions you want for the object.

You grant no other roles access to the object.

Then in the admin you create a group/s that has that/those role/s. Only put people in the group that wish access.

m.hnat · 11 October 2023 16:35

That’s what we did. We defined the roles and assigned them to usergroups.

In DatamanagerService.getGroupedObjects (where the datamanager is put together) is the following code (line 72):

permsService.hasPermission( permissionKey="datamanager.navigate", context="datamanager", contextKeys=[ objectName ] )

This only returns false, when the contextKey navigate is denied for the specific usergroup through the GUI.

If there’s no denial to this group, the permissionKey="datamanager.navigate"is returning true for the complete access of the datamanager, but not for the individual object.

setting the permission to !myObject.navigate is returning a 401 when clicking on the link to the object in the datamanager, but it’s still listed there.

According to the hasPermission this is correct, because yes, the general access to the datamanager is granted, but the one to the individual object doesn’t.

Is the getGroupedObjects wrong in this case? We can’t hide it through the permission settings.

dominic.watson · 12 October 2023 08:03

Ah, I see - the “datamanager listing” page is not something that has been touched in a long while and not something we use any more internally.

It sounds like a bug and that we should be using data manager customisations to check permissions for each object.

Can I double check, is this the problem?

Users can see objects listed in the datamanager listing, even though they do not have permission to do anything with them?

m.hnat · 12 October 2023 08:14

Exactly this is the problem.

Thanks for caring.

m.hnat · 31 October 2023 12:52

For reference: [PRESIDECMS-2735] - JIRA