grandnode2 icon indicating copy to clipboard operation
grandnode2 copied to clipboard
verified publisher icon grandnode

Permission denied for specific Action when two groups are assigned to user

Open Nikhil13x opened this issue 2 years ago • 4 comments

A user is assigned with two groups. Group 1 - Administrator with all permissions and their actions enabled Group 2 - TestGroup - with one action unselected (Admin Area.Manage Products -> "List")

In this case, the user is not allowed to "List" the products, even if the permissions is assigned via one group. The deny rule takes precedence.

Is this expected behaviour?

Nikhil13x avatar Dec 09 '23 06:12 Nikhil13x

image

This snippet returns false on occurrence of a deny rule in actions. Should it return true whenever there is no deny rule for a group in the for loop instead?

Nikhil13x avatar Dec 09 '23 06:12 Nikhil13x

@Nikhil13x yes, it is expected behaviour.

KrzysztofPajak avatar Dec 09 '23 17:12 KrzysztofPajak

@KrzysztofPajak Understood. But the logic at permissionSystemName level works in the other way. If the checkbox is selected for any groups assigned to the user, it allows access. Only at action level, the deny rule is applied. It's confusing a little.

Nikhil13x avatar Dec 10 '23 04:12 Nikhil13x

@Nikhil13x you have right, it can be a little confusing. I will consider to change it. In the PermissionAction collection (in database) we save records to which you do not have access. In this case, we will have to change the operating mechanism and perform a migration.

KrzysztofPajak avatar Dec 10 '23 07:12 KrzysztofPajak