Incompatibility with "roles" Extension
There is a problem when using this extension in combination with https://github.com/IchHabRecht/begroups_roles - which is a "perfect fit" for our complex permission use-cases:
The "roles" extension allows the editor to switch his "groups" throughout the same session. This means that depending on the "role" (a be_group) the use chooses (from the main top toolbar), this group's permissions are used exclusively, and thus a backend is stripped down to what this group allows.
The problem is that be_acl comes with a "permission cache", which loads the user-permissions in a cache. This cache is now no longer valid when the user switches his "role" resulting in wrong permission checks (i.e. user cannot save a record).
I have no clue on how to solve the problem other that disabling this cache. Maybe you have some ideas. :)
#1 Updated by Ernesto Baschny about 2 years ago
Issue reported also here: https://github.com/IchHabRecht/begroups_roles/issues/9
#4 Updated by Jan Bartels about 2 years ago
Ernesto: please try the following patch:
be_acl/Classes/Cache/PermissionCache.php line 215
$usergroup_cached_list = str_replace( ',', '_', $this->backendUser->user['usergroup_cached_list'] ); $identifier = static::CACHE_IDENTIFIER_PERMISSIONS . '_' . $this->backendUser->user['uid'] . '_' . $usergroup_cached_list;
This modification adds the actual list of the assigned BE-usergroups to the cache-identifier. Thus, if the grouplist is changed by switching the role, the cache-identifier differs from the former one. Does this work for you? I haven't tested it with begroups_roles so far.
#5 Updated by Nicole Cordes about 2 years ago
As far as I understand the extension, you should care about the usergroup even besides the begroups_roles extension. Imagine there is a cache entry available but the groups of the user were changed in the backend by an admin. You need to verify and/or drop existing caches if a user or group was edited. I would suggest to include the groups in cache data and add another check to \JBartels\BeAcl\Cache\PermissionCache::isValidCacheData that compares the current groups with the ones available in the cache data.