IBX-5026: Fixed subtree op. perm. checks for Content with multiple Locations

barw4 · web-flow · commit 6cd2cb89c036 · 2023-03-09T12:19:00.000+01:00
For more details see https://issues.ibexa.co/browse/IBX-5026 and #365 * Allowed user to move subtree if he doesn't have access to second content's location
diff --git a/eZ/Publish/API/Repository/Tests/LocationServiceTest.php b/eZ/Publish/API/Repository/Tests/LocationServiceTest.php
@@ -22,6 +22,7 @@
 use eZ\Publish\API\Repository\Values\Content\Query;
 use eZ\Publish\API\Repository\Values\Content\Search\SearchHit;
 use eZ\Publish\API\Repository\Values\Content\URLAlias;
+use eZ\Publish\API\Repository\Values\User\Limitation\SubtreeLimitation;
 use eZ\Publish\Core\Repository\Values\Content\ContentUpdateStruct;
 
 /**
@@ -3471,6 +3472,69 @@ public function testMoveSubtreeKeepsContentHiddenOnChildren(): void
         }
     }
 
+    /**
+     * Test validating whether content that is being moved is still allowed to be moved when one of its locations
+     * is inaccessible by a current user, however, when moved location is accessible.
+     *
+     * @covers \eZ\Publish\API\Repository\LocationService::moveSubtree
+     *
+     * @throws \eZ\Publish\API\Repository\Exceptions\Exception
+     */
+    public function testMoveSubtreeContentWithMultipleLocationsAndOneOfThemInaccessible(): void
+    {
+        $repository = $this->getRepository();
+        $locationService = $repository->getLocationService();
+        $permissionResolver = $repository->getPermissionResolver();
+
+        $folder = $this->publishContentWithParentLocation('Parent folder', 2);
+        $accessibleFolder = $this->publishContentWithParentLocation('Accessible folder', 2);
+        $subFolder = $this->publishContentWithParentLocation(
+            'Sub folder',
+            $folder->contentInfo->mainLocationId
+        );
+        $contentToBeMoved = $this->publishContentWithParentLocation(
+            'Target folder',
+            $subFolder->contentInfo->mainLocationId
+        );
+        $forbiddenContent = $this->publishContentWithParentLocation('Forbidden folder', 2);
+
+        // Add second location (parent 'Forbidden folder') to 'Target content' in folder that user won't have access to
+        $locationService->createLocation(
+            $contentToBeMoved->contentInfo,
+            $locationService->newLocationCreateStruct($forbiddenContent->contentInfo->mainLocationId)
+        );
+
+        $folderLocation = $locationService->loadLocation($folder->contentInfo->mainLocationId);
+        $accessibleFolderLocation = $locationService->loadLocation($accessibleFolder->contentInfo->mainLocationId);
+
+        // Set user that cannot access 'Forbidden folder'
+        $user = $this->createUserWithPolicies(
+            'user',
+            [
+                ['module' => 'content', 'function' => 'read'],
+                ['module' => 'content', 'function' => 'create'],
+            ],
+            new SubtreeLimitation(
+                ['limitationValues' => [
+                        $folderLocation->getPathString(),
+                        $accessibleFolderLocation->getPathString(),
+                    ],
+                ]
+            )
+        );
+        $permissionResolver->setCurrentUserReference($user);
+
+        // Move Parent folder/Sub folder/Target folder to location of ID = 2
+        $locationService->moveSubtree(
+            $contentToBeMoved->contentInfo->getMainLocation(),
+            $accessibleFolderLocation
+        );
+
+        $targetContentMainLocation = $locationService->loadLocation($contentToBeMoved->contentInfo->mainLocationId);
+
+        self::assertSame($targetContentMainLocation->parentLocationId, $accessibleFolderLocation->id);
+    }
+
     public function testGetSubtreeSize(): Location
     {
         $repository = $this->getRepository();
diff --git a/eZ/Publish/API/Repository/Values/Content/ContentInfo.php b/eZ/Publish/API/Repository/Values/Content/ContentInfo.php
@@ -15,7 +15,7 @@
 /**
  * This class provides all version independent information of the Content object.
  *
- * @property-read int $id The unique id of the Content object
+ * @property-read int $id @deprecated Use {@see ContentInfo::getId} instead. The unique id of the Content object
  * @property-read int $contentTypeId The unique id of the Content Type object the Content object is an instance of
  * @property-read string $name the computed name (via name schema) in the main language of the Content object
  * @property-read int $sectionId the section to which the Content object is assigned
@@ -214,4 +214,9 @@ public function getOwner(): User
     {
         return $this->owner;
     }
+
+    public function getId(): int
+    {
+        return $this->id;
+    }
 }
diff --git a/eZ/Publish/Core/Repository/LocationService.php b/eZ/Publish/Core/Repository/LocationService.php
@@ -966,8 +966,17 @@ public function count(Filter $filter, ?array $languages = null): int
         return $this->locationFilteringHandler->count($filter);
     }
 
-    private function checkCreatePermissionOnSubtreeTarget(APILocation $targetParentLocation, APILocation $loadedSubtree, APILocation $loadedTargetLocation): void
-    {
+    /**
+     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
+     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
+     * @throws \Ibexa\Contracts\Core\Repository\Exceptions\InvalidCriterionArgumentException
+     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
+     */
+    private function checkCreatePermissionOnSubtreeTarget(
+        APILocation $targetParentLocation,
+        APILocation $loadedSubtree,
+        APILocation $loadedTargetLocation
+    ): void {
         $locationTarget = (new DestinationLocationTarget($targetParentLocation->id, $loadedSubtree->contentInfo));
         if (!$this->permissionResolver->canUser(
             'content',
@@ -998,8 +1007,10 @@ private function checkCreatePermissionOnSubtreeTarget(APILocation $targetParentL
                     'limit' => 0,
                     'filter' => new CriterionLogicalAnd(
                         [
-                            new CriterionSubtree($loadedSubtree->pathString),
+                            new CriterionSubtree($loadedSubtree->getPathString()),
                             new CriterionLogicalNot($contentReadCriterion),
+                            // Do not take the same content into consideration as it can have more than one location
+                            new CriterionLogicalNot(new Criterion\ContentId($loadedSubtree->getContentInfo()->getId())),
                         ]
                     ),
                 ]

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`/**`
`16`	`16`	`* This class provides all version independent information of the Content object.`
`17`	`17`	`*`
`18`		`- * @property-read int $id The unique id of the Content object`
	`18`	`+ * @property-read int $id @deprecated Use {@see ContentInfo::getId} instead. The unique id of the Content object`
`19`	`19`	`* @property-read int $contentTypeId The unique id of the Content Type object the Content object is an instance of`
`20`	`20`	`* @property-read string $name the computed name (via name schema) in the main language of the Content object`
`21`	`21`	`* @property-read int $sectionId the section to which the Content object is assigned`
`@@ -214,4 +214,9 @@ public function getOwner(): User`
`214`	`214`	`{`
`215`	`215`	`return $this->owner;`
`216`	`216`	`}`
	`217`	`+`
	`218`	`+ public function getId(): int`
	`219`	`+ {`
	`220`	`+ return $this->id;`
	`221`	`+ }`
`217`	`222`	`}`