[Fix]: Add root node permissions (#279)

* fix: add missing root node permissions

* Apply php-cs-fixer changes

* fix: STAN

* try to specify server version

* try to specify server version

* try to specify server version

* try to specify server version

* fix: codeception

* fix: tests

---------

Co-authored-by: lukmzig <[email protected]>

Author: lukmzig

.github/workflows/elastic-search-codeception.yaml

@@ -30,7 +30,7 @@ jobs:
         strategy:
             matrix:
                 include:
-                    - { php-version: "8.3", dependencies: "highest", pimcore_version: "11.x-dev as 11.99.9", experimental: true, search_engine: "elasticsearch"}
+                    - { php-version: "8.3", dependencies: "highest", pimcore_version: "^11.5", experimental: true, search_engine: "elasticsearch"}
 
         services:
             mariadb:

.github/workflows/open-search-codeception.yaml

@@ -32,7 +32,7 @@ jobs:
                 include:
                     - { php-version: "8.2", dependencies: "lowest", pimcore_version: "", experimental: false, search_engine: "openSearch" }
                     - { php-version: "8.3", dependencies: "highest", pimcore_version: "", experimental: false, search_engine: "openSearch"}
-                    - { php-version: "8.3", dependencies: "highest", pimcore_version: "11.x-dev as 11.99.9", experimental: true, search_engine: "openSearch"}
+                    - { php-version: "8.3", dependencies: "highest", pimcore_version: "^11.5", experimental: true, search_engine: "openSearch"}
 
         services:
             mariadb:

.github/workflows/static-analysis.yaml

@@ -26,7 +26,7 @@ jobs:
                 include:
                     - { php-version: "8.2", dependencies: "lowest", experimental: false }
                     - { php-version: "8.3", dependencies: "highest", experimental: false }
-                    - { php-version: "8.3", dependencies: "highest", pimcore_version: "11.x-dev as 11.99.9", experimental: true }
+                    - { php-version: "8.3", dependencies: "highest", pimcore_version: "^11.5", experimental: true }
         steps:
             - name: "Checkout code"
               uses: "actions/checkout@v2"

src/Service/Permission/PermissionService.php

@@ -50,10 +50,11 @@ public function getAssetPermissions(
         /** @var AssetPermissions $permissions */
         $permissions = $this->getPermissions(
             elementPath: $asset->getFullPath(),
+            parentId: $asset->getParentId(),
             permissionsType: AssetWorkspace::WORKSPACE_TYPE,
             defaultPermissions: $permissions,
             user: $user
-        ) ?? $permissions;
+        );
 
         return $this->eventService->dispatchAssetSearchEvent($asset, $permissions)->getPermissions();
     }
@@ -66,10 +67,11 @@ public function getDocumentPermissions(
         /** @var DocumentPermissions $permissions */
         $permissions = $this->getPermissions(
             elementPath: $document->getFullPath(),
+            parentId: $document->getParentId(),
             permissionsType: DocumentWorkspace::WORKSPACE_TYPE,
             defaultPermissions: $permissions,
             user: $user
-        ) ?? $permissions;
+        );
 
         return $this->eventService->dispatchDocumentSearchEvent($document, $permissions)->getPermissions();
     }
@@ -82,10 +84,11 @@ public function getDataObjectPermissions(
         /** @var DataObjectPermissions $permissions */
         $permissions = $this->getPermissions(
             elementPath: $object->getFullPath(),
+            parentId: $object->getParentId(),
             permissionsType: DataObjectWorkspace::WORKSPACE_TYPE,
             defaultPermissions: $permissions,
             user: $user,
-        ) ?? $permissions;
+        );
 
         return $this->eventService->dispatchDataObjectSearchEvent($object, $permissions)->getPermissions();
     }
@@ -111,17 +114,18 @@ public function getPermissionValue(BasePermissions $permissions, string $permiss
 
     private function getPermissions(
         string $elementPath,
+        int $parentId,
         string $permissionsType,
         BasePermissions $defaultPermissions,
         ?User $user
-    ): ?BasePermissions {
+    ): BasePermissions {
         $adminPermissions = $this->getAdminUserPermissions(
             $user,
             $defaultPermissions
         );
 
         if ($adminPermissions) {
-            return $adminPermissions;
+            return $this->addRootNodePermissions($elementPath, $parentId, $adminPermissions);
         }
 
         $userWorkspaces = $this->workspaceService->getRelevantWorkspaces(
@@ -136,8 +140,9 @@ private function getPermissions(
                 $elementPath
             );
         }
+        $permissions = $this->getPermissionsFromWorkspaces($userWorkspaces, $userRoleWorkspaces) ?? $defaultPermissions;
 
-        return $this->getPermissionsFromWorkspaces($userWorkspaces, $userRoleWorkspaces);
+        return $this->addRootNodePermissions($elementPath, $parentId, $permissions);
     }
 
     private function getAdminUserPermissions(
@@ -206,4 +211,20 @@ private function addRelevantRolePermissions(
 
         return $workspacePermissions;
     }
+
+    private function addRootNodePermissions(
+        string $fullPath,
+        int $parentId,
+        BasePermissions $permissions
+    ): BasePermissions {
+        if ($fullPath === '/' && $parentId === 0) {
+            $permissions->setDelete(false);
+            $permissions->setRename(false);
+            if (method_exists($permissions, 'setUnpublish')) {
+                $permissions->setUnpublish(false);
+            }
+        }
+
+        return $permissions;
+    }
 }

tests/Unit/Service/Permission/PermissionServiceTest.php

@@ -54,9 +54,9 @@ final class PermissionServiceTest extends Unit
     public function _before(): void
     {
         $this->user = new User();
-        $this->assetSearchResult = new AssetSearchResultItem();
-        $this->dataObjectSearchResult = new DataObjectSearchResultItem();
-        $this->documentSearchResultItem = new DocumentSearchResultItem();
+        $this->assetSearchResult = (new AssetSearchResultItem())->setParentId(1);
+        $this->dataObjectSearchResult = (new DataObjectSearchResultItem())->setParentId(1);
+        $this->documentSearchResultItem = (new DocumentSearchResultItem())->setParentId(1);
     }
 
     public function testAssetPermissionWithUserOnRoot(): void
@@ -67,13 +67,14 @@ public function testAssetPermissionWithUserOnRoot(): void
             type: AssetWorkspace::WORKSPACE_TYPE
         )]);
         $assetPermission = $this->getPermissionServiceWithUser()->getAssetPermissions(
-            $this->assetSearchResult->setFullPath('/'),
+            $this->assetSearchResult->setParentId(0)->setFullPath('/'),
             $this->user
         );
 
         $this->assertTrue($assetPermission->isView());
         $this->assertTrue($assetPermission->isList());
         $this->assertFalse($assetPermission->isDelete());
+        $this->assertFalse($assetPermission->isRename());
     }
 
     public function testAssetPermissionWithUserOnCustomPath(): void
@@ -160,12 +161,13 @@ public function testAssetPermissionWithoutUserOnRoot(): void
     {
         $permissionService = $this->getPermissionServiceWithoutUser();
         $assetPermission = $permissionService->getAssetPermissions(
-            $this->assetSearchResult->setFullPath('/'),
+            $this->assetSearchResult->setParentId(0)->setFullPath('/'),
             null
         );
         $this->assertSame(self::DEFAULT_VALUE, $assetPermission->isList());
         $this->assertSame(self::DEFAULT_VALUE, $assetPermission->isView());
         $this->assertSame(self::DEFAULT_VALUE, $assetPermission->isRename());
+        $this->assertSame(self::DEFAULT_VALUE, $assetPermission->isDelete());
     }
 
     public function testObjectPermissionWithUserOnRoot(): void
@@ -176,15 +178,16 @@ public function testObjectPermissionWithUserOnRoot(): void
             type: DataObjectWorkspace::WORKSPACE_TYPE
         )]);
         $permission = $this->getPermissionServiceWithUser()->getDataObjectPermissions(
-            $this->dataObjectSearchResult->setFullPath('/'),
+            $this->dataObjectSearchResult->setParentId(0)->setFullPath('/'),
             $this->user
         );
 
         $this->assertTrue($permission->isView());
         $this->assertTrue($permission->isList());
         $this->assertTrue($permission->isPublish());
-        $this->assertTrue($permission->isUnpublish());
         $this->assertFalse($permission->isDelete());
+        $this->assertFalse($permission->isUnpublish());
+        $this->assertFalse($permission->isRename());
     }
 
     public function testObjectPermissionWithUserOnCustomPath(): void
@@ -272,7 +275,7 @@ public function testObjectPermissionWithoutUserOnRoot(): void
     {
         $permissionService = $this->getPermissionServiceWithoutUser();
         $permission = $permissionService->getDataObjectPermissions(
-            $this->dataObjectSearchResult->setFullPath('/'),
+            $this->dataObjectSearchResult->setParentId(0)->setFullPath('/'),
             null
         );
 
@@ -290,15 +293,16 @@ public function testDocumentPermissionWithUserOnRoot(): void
             type: DocumentWorkspace::WORKSPACE_TYPE
         )]);
         $permission = $this->getPermissionServiceWithUser()->getDocumentPermissions(
-            $this->documentSearchResultItem->setFullPath('/'),
+            $this->documentSearchResultItem->setParentId(0)->setFullPath('/'),
             $this->user
         );
 
         $this->assertTrue($permission->isView());
         $this->assertTrue($permission->isSave());
         $this->assertTrue($permission->isPublish());
-        $this->assertTrue($permission->isUnpublish());
+        $this->assertFalse($permission->isUnpublish());
         $this->assertFalse($permission->isList());
+        $this->assertFalse($permission->isDelete());
     }
 
     public function testDocumentPermissionWithUserOnCustomPath(): void