[Improvement]Handle special language workspace permissions (#280)

* add logic to consider and return special language permissions

* Apply php-cs-fixer changes

* fix: unit tests

* fix: unit tests

---------

Co-authored-by: lukmzig <[email protected]>

doc/01_Installation/02_Upgrade.md

@@ -17,6 +17,8 @@ Following steps are necessary during updating to newer versions.
 - Removed deprecated class `Pimcore\Bundle\GenericDataIndexBundle\SearchIndexAdapter\OpenSearch\DataObject\FieldDefinitionAdapter\AbstractAdapter` please use `Pimcore\Bundle\GenericDataIndexBundle\SearchIndexAdapter\DefaultSearch\DataObject\FieldDefinitionAdapter\AbstractAdapter` instead
 - Added default prefix `data-object_` prefix to all data object class definition index names. This change is necessary to avoid conflicts with other index names.
 - Add element type to the `getIds` method of `Pimcore\Bundle\GenericDataIndexBundle\Model\Search\Element\SearchResult\ElementSearchResult`
+- Added `getSpecialPermissions` method to `Pimcore\Bundle\GenericDataIndexBundle\Service\Permission\ElementPermissionServiceInterface` to get special permissions workspace language permissions for elements
+- Removed layout permission from `Pimcore\Bundle\GenericDataIndexBundle\Permission\DataObjectPermissions` as they are not index relevant
 
 #### Interface changes
 - Added `PermissionTypes $permissionType` parameter with default type `PermissionTypes::LIST` to

src/Permission/DataObjectPermissions.php

@@ -29,8 +29,6 @@ final class DataObjectPermissions extends BasePermissions
 
     private ?string $localizedView = null;
 
-    private ?string $layouts = null;
-
     public function isSave(): bool
     {
         return $this->save;
@@ -71,16 +69,6 @@ public function setLocalizedView(?string $localizedView): void
         $this->localizedView = $localizedView;
     }
 
-    public function isLayouts(): ?string
-    {
-        return $this->layouts;
-    }
-
-    public function setLayouts(?string $layout): void
-    {
-        $this->layouts = $layout;
-    }
-
     public function getClassProperties(array $properties = []): array
     {
         return parent::getClassProperties(get_object_vars($this));

src/Permission/Workspace/AbstractWorkspace.php

@@ -16,7 +16,9 @@
 
 namespace Pimcore\Bundle\GenericDataIndexBundle\Permission\Workspace;
 
-use Pimcore\Bundle\GenericDataIndexBundle\Permission\BasePermissions;
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\AssetPermissions;
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\DataObjectPermissions;
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\DocumentPermissions;
 use Pimcore\Model\User\Workspace;
 
 /**
@@ -38,14 +40,14 @@ public function getPath(): string
         return $this->path;
     }
 
-    public function getPermissions(): BasePermissions
+    public function getPermissions(): AssetPermissions|DataObjectPermissions|DocumentPermissions
     {
         return $this->permissions;
     }
 
     protected function setWorkspacePermissions(
         Workspace\Asset|Workspace\DataObject|Workspace\Document $userPermissions,
-        BasePermissions $workspacePermissions
+        AssetPermissions|DataObjectPermissions|DocumentPermissions $workspacePermissions
     ): void {
         $properties = $workspacePermissions->getClassProperties();
         foreach ($properties as $property => $value) {

src/Permission/Workspace/WorkspaceInterface.php

@@ -16,7 +16,9 @@
 
 namespace Pimcore\Bundle\GenericDataIndexBundle\Permission\Workspace;
 
-use Pimcore\Bundle\GenericDataIndexBundle\Permission\BasePermissions;
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\AssetPermissions;
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\DataObjectPermissions;
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\DocumentPermissions;
 
 /**
  * @internal
@@ -25,5 +27,5 @@ interface WorkspaceInterface
 {
     public function getPath(): string;
 
-    public function getPermissions(): BasePermissions;
+    public function getPermissions(): AssetPermissions|DataObjectPermissions|DocumentPermissions;
 }

src/Service/Permission/ElementPermissionService.php

@@ -16,6 +16,7 @@
 
 namespace Pimcore\Bundle\GenericDataIndexBundle\Service\Permission;
 
+use Pimcore\Bundle\GenericDataIndexBundle\Permission\DataObjectPermissions;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\Transformer\SearchResultItem\AssetToSearchResultItemTransformerInterface;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\Transformer\SearchResultItem\DataObjectToSearchResultItemTransformerInterface;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\Transformer\SearchResultItem\DocumentToSearchResultItemTransformerInterface;
@@ -41,16 +42,31 @@ public function __construct(
     public function isAllowed(
         string $permission,
         ElementInterface $element,
-        User $user
+        User $user,
+        ?string $specialPermission = null
     ): bool {
         return match (true) {
             $element instanceof Asset => $this->isAssetAllowed($permission, $element, $user),
-            $element instanceof DataObject => $this->isDataObjectAllowed($element, $permission, $user),
+            $element instanceof DataObject => $this->isDataObjectAllowed(
+                $element,
+                $permission,
+                $user,
+                $specialPermission
+            ),
             $element instanceof Document => $this->isDocumentAllowed($element, $permission, $user),
             default => false,
         };
     }
 
+    public function getSpecialPermissions(DataObject $dataObject, User $user, string $permission): array
+    {
+
+        return $this->permissionService->getSpecialPermissionValues(
+            $this->getPermissionsFromDataObject($dataObject, $user),
+            $permission
+        );
+    }
+
     private function isAssetAllowed(
         string $permission,
         Asset $asset,
@@ -69,16 +85,15 @@ private function isAssetAllowed(
     private function isDataObjectAllowed(
         DataObject $dataObject,
         string $permission,
-        User $user
+        User $user,
+        ?string $specialPermission = null
     ): bool {
-        $dataObjectSearchResultItem = $this->dataObjectTransformer->transform($dataObject, $user);
 
-        $permissions = $this->permissionService->getDataObjectPermissions(
-            $dataObjectSearchResultItem,
-            $user
+        return $this->permissionService->getPermissionValue(
+            $this->getPermissionsFromDataObject($dataObject, $user),
+            $permission,
+            $specialPermission
         );
-
-        return $this->permissionService->getPermissionValue($permissions, $permission);
     }
 
     private function isDocumentAllowed(
@@ -95,4 +110,14 @@ private function isDocumentAllowed(
 
         return $this->permissionService->getPermissionValue($permissions, $permission);
     }
+
+    private function getPermissionsFromDataObject(DataObject $dataObject, User $user): DataObjectPermissions
+    {
+        $dataObjectSearchResultItem = $this->dataObjectTransformer->transform($dataObject, $user);
+
+        return $this->permissionService->getDataObjectPermissions(
+            $dataObjectSearchResultItem,
+            $user
+        );
+    }
 }

src/Service/Permission/ElementPermissionServiceInterface.php

@@ -16,6 +16,7 @@
 
 namespace Pimcore\Bundle\GenericDataIndexBundle\Service\Permission;
 
+use Pimcore\Model\DataObject;
 use Pimcore\Model\Element\ElementInterface;
 use Pimcore\Model\User;
 
@@ -24,6 +25,9 @@ interface ElementPermissionServiceInterface
     public function isAllowed(
         string $permission,
         ElementInterface $element,
-        User $user
+        User $user,
+        ?string $specialPermission = null
     ): bool;
+
+    public function getSpecialPermissions(DataObject $dataObject, User $user, string $permission): array;
 }

src/Service/Permission/PermissionService.php

@@ -28,6 +28,7 @@
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\Workspace\DocumentWorkspace;
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\Workspace\WorkspaceInterface;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\EventServiceInterface;
+use Pimcore\Bundle\GenericDataIndexBundle\Service\SearchIndex\LanguageServiceInterface;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\Workspace\WorkspaceServiceInterface;
 use Pimcore\Model\User;
 
@@ -36,8 +37,14 @@
  */
 final readonly class PermissionService implements PermissionServiceInterface
 {
+    private const SPECIAL_PERMISSIONS = [
+        'localizedView',
+        'localizedEdit',
+    ];
+
     public function __construct(
         private EventServiceInterface $eventService,
+        private LanguageServiceInterface $languageService,
         private WorkspaceServiceInterface $workspaceService,
     ) {
     }
@@ -102,14 +109,41 @@ public function checkWorkspacePermission(
         return $this->getPermissionValue($permissions, $permission);
     }
 
-    public function getPermissionValue(BasePermissions $permissions, string $permission): bool
+    public function getPermissionValue(
+        AssetPermissions|DocumentPermissions|DataObjectPermissions $permissions,
+        string $permission,
+        ?string $permissionValueKey = null
+    ): bool {
+        $getter = 'is' . ucfirst($permission);
+        if (!method_exists($permissions, $getter)) {
+            return false;
+        }
+
+        $value = $permissions->$getter();
+        if ($permissions instanceof DataObjectPermissions && !is_bool($value)) {
+            return in_array(
+                $permissionValueKey,
+                $this->getSpecialPermissionValues($permissions, $permission),
+                true
+            );
+        }
+
+        return $value;
+    }
+
+    public function getSpecialPermissionValues(DataObjectPermissions $permissions, string $permission): array
     {
+        if (!in_array($permission, self::SPECIAL_PERMISSIONS)) {
+            return [];
+        }
+
         $getter = 'is' . ucfirst($permission);
-        if (method_exists($permissions, $getter)) {
-            return $permissions->$getter();
+        $permissionValues = $permissions->$getter();
+        if ($permissionValues === null) {
+            return [];
         }
 
-        return false;
+        return explode(',', $permissionValues);
     }
 
     private function getPermissions(
@@ -155,9 +189,15 @@ private function getAdminUserPermissions(
 
         $properties = $permissions->getClassProperties();
         foreach ($properties as $property => $value) {
+            $setter = 'set' . ucfirst($property);
             if (is_bool($value)) {
-                $setter = 'set' . ucfirst($property);
                 $permissions->$setter(true);
+
+                continue;
+            }
+
+            if (in_array($property, self::SPECIAL_PERMISSIONS, true)) {
+                $permissions->$setter(implode(',', $this->languageService->getValidLanguages()));
             }
         }
 

src/Service/Permission/PermissionServiceInterface.php

@@ -20,7 +20,6 @@
 use Pimcore\Bundle\GenericDataIndexBundle\Model\Search\DataObject\SearchResult\DataObjectSearchResultItem;
 use Pimcore\Bundle\GenericDataIndexBundle\Model\Search\Document\SearchResult\DocumentSearchResultItem;
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\AssetPermissions;
-use Pimcore\Bundle\GenericDataIndexBundle\Permission\BasePermissions;
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\DataObjectPermissions;
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\DocumentPermissions;
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\Workspace\WorkspaceInterface;
@@ -51,5 +50,11 @@ public function checkWorkspacePermission(
         string $permission
     ): bool;
 
-    public function getPermissionValue(BasePermissions $permissions, string $permission): bool;
+    public function getPermissionValue(
+        AssetPermissions|DocumentPermissions|DataObjectPermissions $permissions,
+        string $permission,
+        ?string $permissionValueKey = null
+    ): bool;
+
+    public function getSpecialPermissionValues(DataObjectPermissions $permissions, string $permission): array;
 }

tests/Unit/Service/Permission/PermissionServiceTest.php

@@ -27,6 +27,7 @@
 use Pimcore\Bundle\GenericDataIndexBundle\Permission\Workspace\DocumentWorkspace;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\EventService;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\Permission\PermissionService;
+use Pimcore\Bundle\GenericDataIndexBundle\Service\SearchIndex\LanguageServiceInterface;
 use Pimcore\Bundle\GenericDataIndexBundle\Service\Workspace\WorkspaceService;
 use Pimcore\Bundle\StaticResolverBundle\Models\User\UserResolver;
 use Pimcore\Bundle\StaticResolverBundle\Models\User\UserResolverInterface;
@@ -473,6 +474,7 @@ private function getPermissionServiceWithUser(): PermissionService
     {
         return new PermissionService(
             $this->getEventService(),
+            $this->makeEmpty(LanguageServiceInterface::class),
             new WorkspaceService(
                 $this->makeEmpty(UserResolverInterface::class, [
                     'getUserRoleById' => $this->role,
@@ -485,6 +487,7 @@ private function getPermissionServiceWithoutUser(): PermissionService
     {
         return new PermissionService(
             $this->getEventService(),
+            $this->makeEmpty(LanguageServiceInterface::class),
             new WorkspaceService(
                 new UserResolver()
             )