I have an Ember application on the frontend consuming Drupal's JSONAPI.
Drupal has the commerce module installed.
The ember application is requesting all product_types, and needs to display information about the product types.
The product type has fields on it such as description variationType and label, but as an anonymous user, I cannot see all these attributes, only label.
It seems like this is an issue with the way The commerce module checks permissions.
if (!$access->isAllowed()) {
// If this is the default revision or the entity is not revisionable, then
// check access to the entity label. Revision support is all or nothing.
if (!$entity->getEntityType()->isRevisionable() || $entity->isDefaultRevision()) {
$label_access = $entity->access('view label', NULL, TRUE);
$entity->addCacheableDependency($label_access);
if ($label_access->isAllowed()) {
return LabelOnlyResourceObject::createFromEntity($resource_type, $entity);
In the wild -- https://github.com/Free5Dev/drupalMagellium/blob/f5b0344a528a1df788c94e7558a6826dc9a2f736/core/modules/jsonapi/src/Access/EntityAccessChecker.php#L181
Here jsonapi decides to render a limited version of the entity.
It seems like this entity needs to be made revisionable in order to pass the above check and be fully rendered.
https://github.com/drupalcommerce/commerce/blob/8.x-2.x/modules/product/src/Entity/ProductType.php
How do I make the ProductType entity revisionable?
I've found this https://www.drupal.org/docs/8/api/entity-api/making-an-entity-revisionable but it seems to be limited in it's explanation.
Drupal's JSON:API module does not bring it's own authorization logic. It respects and uses all security measures that Drupal has for that data. You find more details on that one in Security considerations chapter of the module docs.
Drupal Commerce does not provide it's own access management either. Atleast that is what I get from their docs.
You should check your field permissions. Maybe they are customized using Field Permissions module? You may want to Audit Entity Access and Field Access as recommended in docs of JSON:API module.
Related
Want to make alfresco site read only in alfresco community 5.0 so that no one can make any changes or edit that during migration.
I already tried changing the user/group permissions but that method doesn't work properly. Is there any other way to make the sites read only?
You need to make all sites in read only mode and so entire Repository should be in read-only mode for migration!
Try this property in your alfresco-global.prop file
server.allowWrite=false
Please check this for reference
The best way to make a site read only would probably be to modify all members of that site to have the consumer role (this would prevent them for creating new content or editing any existing content).
Unfortunately there is no bulk capability built into the UI to do this, however it should be a relatively straightforward exercise to create an admin only custom WebScript to achieve this. It would necessary for the Admin to become the site manager of each site before attempting to change the role of each site member, but there is an API for doing this.
Alternatively (if you have only a few sites) then you could do this manually through the UI using the Site Management Admin Console page. Again, the Admin would need to become the Site Manager for each Site and then visit the site and change the role of every member.
As suggested by #DaveDraper in a former answer, you could setup site memberships to the consumer role. However, this won't take into account any special permission given on a particular node (folder/document) in that site either with or without inheritance of permission.
So, if you intend to block any writes on the entire alfresco repo/site you could simply setup an extra security interceptor on your NodeService to block any write access using the NodeService.
PS : You could get some inspiration from the "NodeService_security" bean and implementation !
I can think of a turn-around or two, but those would be really sloppy so I won't be including them in this response
Not sure if this is stackoverflow typically question (I'll remove it if suggested), still may help me understand the possible options here.
I would like to know if it's somehow possible beside core, master and web instances to append new content database (let say for some form's filled with data by web users with CRUD repository using existing sitecore api). Editable/readonly from CMS, visible for exports, reports or charts via CMS using custom modules.
Somehow this DB should be located on the same level with Web Database, it's important to follow templates and functionality from sitecore legacy functionality.
This entire shebang will be used in as Sitecore Custom Module (installation, integration customization, management, blah, blah blah). Important: Items stored in this database are pure data items.
I found vague information on John west Sitecore blog, so what I asking more then the direct solution in front of my eyes references or examples how to, or signals if it's against the policy.
Best reference until now: http://intothecore.cassidy.dk/2009/05/working-with-multiple-content-databases.html article written by Mark Cassidy.
The reason you don't find much information on this is because its very uncommon to add another database which is accessible to Sitecore as per the john west blog. Note the data of that post also. I'm not aware of your requirements but I have never seen it done or found a need for it.
With user input data such as forms, comments etc. You have three data considerations storage, access and reporting. In a scenario where you would like to store this data and access it in Sitecore. I would approach it as follows:
Storage of that data should be in the master database inside a bucket. From version 7.0+ buckets were introduced so you can add virtually unlimited data to a Sitecore database. There was a buckets module which supported 6.3+ but appears to not be downloadable anymore: https://marketplace.sitecore.net/en/modules/sitecore_item_buckets.aspx. The code is out there though and possibly Sitecore support would even provide it.
The master database in a standard production environment (split content management and content delivery environments) if not accessible directly via connection string is made accessible by calling the Sitecore web API or creating a custom web service.
Requirements such as reporting and/or shared access to the data for other applications could possibly provide reasons to create a custom database but otherwise there is no reason not to store it in the master database.
You have to save the information filled by the user in Master database so that you can modify or use it using SItecore API.
Since the users filling the form may not have access to modify Sitecore Master DB. You would have to either switch the user to a user with least permissions required to make those changes(safer) or You would have to disable the security for a while and perform those tasks(not recommended). Both of these are explained in http://www.nehemiahj.com/2012/03/how-to-use-securitydisabler-and_15.html
And then add the form as an item in master db. If the number of form items created using this is more then use Sitecore Buckets.
I have two drupal 7 sites and I want them to share content of a certain content type. I want to have this content stored in an external database. How could I make this happen with a custom module?
You can setup a Rest server.
Then you can use views to share the information you want.
Module: https://drupal.org/project/services
Maybe have a closer look on these modules:
Drupal Sync
Drupal Deploy
I didn't try out one of these so far, but I think it's what you are looking for.
Contents (ie. nodes) on a Drupal site are not stored in a single tables. The same tables are used to store content of different content type. Some of the tables are created dynamically when you add fields to a content type, or when you change their settings. So you cannot share some contents between two sites by simply sharing the table(s) used to store them.
As a rule of thumb, you cannot achieve anything complexe in Drupal by simply doing stuff at the database level. There is too much storage logic implemented in (PHP) code that cannot be ignored when accessing the DB. You should always base your solution on Drupal's API (and most of the time, not the DB layer API, but the high-level API such as the Node and Fields APIs).
That said, there is no core API to communicate between sites. I would use one of the site as the canonical source of the shared contents and the only site where they can be edited. Then somehow replicate these content on the second site. This can be done with the Services or RESTful Web Services module on the second site, and a custom module on the first site, used to push new contents and the updated contents to the second through a REST service.
I have created custom type in alfresco and added some properties to it.
Now whenever anyone access file having this custom type, I want to audit all properties of custom type, but alfresco only auditing modified/added/deleted properties.
How to log all properties of custom type in audit?
Thanks, Yogesh
You should probably read the documentation on the Audit Service and then if you get stuck, ask a more specific question including what you've tried and what's not working.
The alfresco audit service has extractors and generators.
Generators can audit information that is not present in the input path.
I think that you should be able to use a generator to audit all your custom properties.
Suppose I have two content typs, "Job Listing" and "Job Application". A job application has a field (using the CCK module) to reference the job listing (a required field). Suppose the job application has a field "Status" with values like "new", "accepted", "rejected".
I would like to set permissions so that the job application status can only be set by the creator of the job listing it corresponds to. If there is an addon that can do this great. I would also like general direction as to how a custom addon might implement this.
(I am following the scenario in Ch. 3 of O'Reilly's "Using Drupal")
I don't know if there is a module for this but this can be done pretty easily with some custom code though.
Use hook_form_alter to add your own validate handler to the node_edit form for the application content type.
Check to see if the value has changed
Set an error is user isn't the creator or has the administer content permission.
You're done.
Directions by googletorp are on the right track but you will have to take care of some more permissions also.
Remove the edit own permission for the application content type.
Also you probably do not want author of one job listing editing the applications in response to some other job listing. This is hard to do with any built in permissions. So check in the form_alter hook that current user is the same as the author of the job listing to which the application being edited is connected to.