cancel
Showing results for 
Search instead for 
Did you mean: 

Reopened - User Roles issue with limited user permission for Content --> pages #6463

0 Kudos

Reopened - User Roles issue with limited user permission for Content --> pages #6463

Feature request from senthilengg, posted on GitHub Sep 02, 2016

Preconditions

  1. Magento 2.1
  2. PHP 5.6 , Nginx+PHP-Fpm

Steps to reproduce

  1. Create a new User Role.
  2. Content --> Pages should only be allowed.
  3. Assign the role to any user.
  4. Login with the above user credential and make sure you have access to only Pages.
  5. Go to Pages
  6. Click Add New Page --> Click Content --> Click Show Hide Editor ( Press F5 or refresh the page )
  7. Try Insert Widget --> Select Catalog Product List from drop down --> Click the + icon to select products -- > Click list icon

Expected result

  1. Tiny Mce should be viewed.
  2. Product list should show up for selection.

Actual result

  1. Editor not displayed.
  2. Page refreshed.
10 Comments
Not applicable
Status changed to: Investigating
 
Not applicable

Comment from senthilengg, posted on GitHub Sep 02, 2016

@sevos I have made it working with the work around of giving access to Marketing --> Catalog price rules alone and without catalog or product permission. So here is the new ticket consider this as reopened. Sine i am not sure how can I reopen the parent ticket.

Not applicable

Comment from sevos1984, posted on GitHub Sep 05, 2016

I've set role only to Pages and Catalog price rules but didn't get products list. Please attach your permissions list.

Not applicable

Comment from senthilengg, posted on GitHub Sep 05, 2016

@sevos1984 Here you go ... I think I haven't mentioned that it should also have the widget permission. But still its working without catalog permission.

catalog_permissions
Not applicable

Comment from sevos1984, posted on GitHub Sep 05, 2016

With Widgets permissions all work fine. Do you mean it shouldn't work without Catalog permissions?

Not applicable

Comment from senthilengg, posted on GitHub Sep 05, 2016

@sevos1984 my expectation is, it should work even without catalog rule and widget. Because widget doesn't require catalog permission to load products and catalog price does not require catalog permission as well. Similarly pages should also work independently without both catalog rule and widget.

I came to these kind of permission setup after seeing the 403 forbidden errors. But from a layman stand point or from a dministratorr view it should be working independently. Do you agree ?
If so I think this can be fixed by extending the controller function of to look at the current url's permission rather than the xmlhttp or Ajax URL permission during an ajax call. Since the origin of this issues is an ajax call to the catalog rule module.
I believe this will bring in fantastic user experience from a catalog or magento admin view and honestly the current behavior looks really inconsistent from a user experience stand point.

Not applicable

Comment from sevos1984, posted on GitHub Sep 06, 2016

I don't agree that Widgets should work without widget permission. And if Widget and Pages allowed all works right, I don't see any bugs here. Wrong setup will give 403 to user but to avoid this all modules should be refactored, that a huge amount of work that is not in priority at the moment.

Not applicable

Comment from senthilengg, posted on GitHub Sep 07, 2016

My perspective of seeing this as a bug is , Since its working without catalog permission and why it should not work without widget or catalog rule. But this topic can still taken to consideration for improvement if your internal team and consultants interested in doing so. So I am leaving this as open, if you feel otherwise feel free to close the issue.

Not applicable

Comment from sevos1984, posted on GitHub Sep 07, 2016

Improvement for permissions relation are in backlog MAGETWO-3128. Thanks

Not applicable

Comment from senthilengg, posted on GitHub Sep 07, 2016

Thanks. Appreciated @sevos1984