From 6270ae8e18228146ae0c33319381dca0ab82a65a Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Sat, 24 Aug 2024 16:25:58 +0200
Subject: [PATCH] new: [metafield editor permission] added

- users/org admins/group admins/community admins can now only modify metafield data on any object if the permission is set for their role
- Since some communities use this for ACL to secondary tools, this will allow them to restrict who can modify them
---
 .../20240824000001_RoleMetaEditor.php         | 30 +++++++++++++++++++
 src/Controller/Component/CRUDComponent.php    | 20 ++++++++-----
 templates/Roles/add.php                       |  5 ++++
 templates/Roles/index.php                     |  6 ++++
 4 files changed, 53 insertions(+), 8 deletions(-)
 create mode 100644 config/Migrations/20240824000001_RoleMetaEditor.php

diff --git a/config/Migrations/20240824000001_RoleMetaEditor.php b/config/Migrations/20240824000001_RoleMetaEditor.php
new file mode 100644
index 0000000..30c6b00
--- /dev/null
+++ b/config/Migrations/20240824000001_RoleMetaEditor.php
@@ -0,0 +1,30 @@
+<?php
+declare(strict_types=1);
+
+use Migrations\AbstractMigration;
+use Phinx\Db\Adapter\MysqlAdapter;
+
+final class RoleMetaEditor extends AbstractMigration
+{
+    public $autoId = false; // turn off automatic `id` column create. We want it to be `int(10) unsigned`
+
+    public function change(): void
+    {
+        $exists = $this->table('roles')->hasColumn('perm_meta_field_editor');
+        if (!$exists) {
+            $this->table('roles')
+                ->addColumn('perm_meta_field_editor', 'boolean', [
+                    'default' => 0,
+                    'null' => false,
+                ])
+                ->addIndex('perm_meta_field_editor')
+                ->update();
+        }
+        $builder = $this->getQueryBuilder();
+        $builder
+            ->update('roles')
+            ->set('perm_meta_field_editor', true)
+            ->where(['perm_admin' => true])
+            ->execute();
+    }
+}
diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php
index 9330740..7d87fd5 100644
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@@ -427,7 +427,9 @@ class CRUDComponent extends Component
     public function add(array $params = []): void
     {
         $data = $this->Table->newEmptyEntity();
-        if ($this->metaFieldsSupported()) {
+        $user = $this->Controller->ACL->getUser();
+        $metaFieldsEnabled = $user['role']['perm_meta_field_editor'] && $this->metaFieldsSupported();
+        if ($metaFieldsEnabled) {
             $metaTemplates = $this->getMetaTemplates();
             $data = $this->attachMetaTemplatesIfNeeded($data, $metaTemplates->toArray());
             if (isset($params['afterFind'])) {
@@ -452,7 +454,7 @@ class CRUDComponent extends Component
                     throw new NotFoundException(__('Could not save {0} due to the marshaling failing. Your input is bad and you should feel bad.', $this->ObjectAlias));
                 }
             }
-            if ($this->metaFieldsSupported()) {
+            if ($metaFieldsEnabled) {
                 $massagedData = $this->massageMetaFields($data, $input, $metaTemplates);
                 unset($input['MetaTemplates']); // Avoid MetaTemplates to be overriden when patching entity
                 $data = $massagedData['entity'];
@@ -526,10 +528,10 @@ class CRUDComponent extends Component
         if (!empty($errors)) {
             if (count($errors) == 1) {
                 $field = array_keys($errors)[0];
-                $fieldError = json_encode($errors[$field]);
+                $fieldError = implode(', ', array_values($errors[$field]));
                 $validationMessage = __('{0}: {1}', $field, $fieldError);
             } else {
-                $validationMessage = __('There has been validation issues with multiple fields: {0}', json_encode($errors));
+                $validationMessage = __('There has been validation issues with multiple fields');
             }
         }
         return $validationMessage;
@@ -692,7 +694,9 @@ class CRUDComponent extends Component
             $params['contain'][] = 'Tags';
             $this->setAllTags();
         }
-        if ($this->metaFieldsSupported()) {
+        $user = $this->Controller->ACL->getUser();
+        $metaFieldsEnabled = $user['role']['perm_meta_field_editor'] && $this->metaFieldsSupported();
+        if ($metaFieldsEnabled) {
             if (empty($params['contain'])) {
                 $params['contain'] = [];
             }
@@ -710,7 +714,7 @@ class CRUDComponent extends Component
             $query->where($params['conditions']);
         }
         $data = $query->first();
-        if ($this->metaFieldsSupported()) {
+        if ($metaFieldsEnabled) {
             $metaTemplates = $this->getMetaTemplates();
             $data = $this->attachMetaTemplatesIfNeeded($data, $metaTemplates->toArray());
         }
@@ -734,7 +738,7 @@ class CRUDComponent extends Component
                     throw new NotFoundException(__('Could not save {0} due to the marshaling failing. Your input is bad and you should feel bad.', $this->ObjectAlias));
                 }
             }
-            if ($this->metaFieldsSupported()) {
+            if ($metaFieldsEnabled) {
                 $massagedData = $this->massageMetaFields($data, $input, $metaTemplates);
                 unset($input['MetaTemplates']); // Avoid MetaTemplates to be overriden when patching entity
                 $data = $massagedData['entity'];
@@ -749,7 +753,7 @@ class CRUDComponent extends Component
             }
             $savedData = $this->Table->save($data);
             if ($savedData !== false) {
-                if ($this->metaFieldsSupported() && !empty($metaFieldsToDelete)) {
+                if ($metaFieldsEnabled && !empty($metaFieldsToDelete)) {
                     foreach ($metaFieldsToDelete as $k => $v) {
                         if ($v === null) {
                             unset($metaFieldsToDelete[$k]);
diff --git a/templates/Roles/add.php b/templates/Roles/add.php
index 4d6028f..fd3e284 100644
--- a/templates/Roles/add.php
+++ b/templates/Roles/add.php
@@ -32,6 +32,11 @@
                     'type' => 'checkbox',
                     'label' => 'Sync permission'
                 ],
+                [
+                    'field' => 'perm_meta_field_editor',
+                    'type' => 'checkbox',
+                    'label' => 'Meta field modification privilege'
+                ],
                 [
                     'field' => 'is_default',
                     'type' => 'checkbox',
diff --git a/templates/Roles/index.php b/templates/Roles/index.php
index 60eda62..d5e20e1 100644
--- a/templates/Roles/index.php
+++ b/templates/Roles/index.php
@@ -74,6 +74,12 @@ echo $this->element('genericElements/IndexTable/index_table', [
                 'data_path' => 'perm_sync',
                 'element' => 'boolean'
             ],
+            [
+                'name' => __('Meta field Editor'),
+                'sort' => 'perm_meta_field_editor',
+                'data_path' => 'perm_meta_field_editor',
+                'element' => 'boolean'
+            ],
             [
                 'name' => 'Default',
                 'sort' => 'is_default',