[Bug]: Workflow permissions merge logic overwrites user permissions #1081
Description
Pimcore version
11.5.14.1 / admin-ui-classic-bundle 1.7.16 (verified also on 12.x / admin-ui-classic-bundle 2.x)
Note: In admin-ui-classic-bundle 2.x, the method is renamed to mergeWorkflowPermissions()
Steps to reproduce
See related issue in pimcore/pimcore repository about isDeniedInWorkflow() null handling.
- Create a workflow for DataObjects without defining all permission rules
- Create a user with specific permissions
- Apply workflow to an object
- User permissions are incorrectly overwritten
Actual Behavior
In ElementService::adaptPermissionsForWorkflows(), workflow permissions are always merged with user permissions, even when the workflow doesn't define a rule for that permission.
$workflowPermission = [
'settings' => !$workflowManager->isDeniedInWorkflow($element, 'settings'),
// ...
];
return array_merge($permissions, $workflowPermission);When isDeniedInWorkflow() returns false for an undefined permission, !false = true, which then overwrites any existing user permission.
Expected Behavior
Only explicitly defined workflow permissions should be merged. Null/undefined permissions should be filtered out.
Affected file: src/Service/ElementService.php - adaptPermissionsForWorkflows() method
Suggested fix:
Use the new returnNull parameter from Manager::isDeniedInWorkflow() and filter null values before merging:
$workflowPermission = [
'settings' => $workflowManager->isDeniedInWorkflow($element, 'settings', true),
// ...
];
// Filter out null values and invert (isDenied -> isAllowed)
$workflowPermission = array_filter($workflowPermission, fn($v) => $v !== null);
$workflowPermission = array_map(fn(bool $v) => !$v, $workflowPermission);
return array_merge($permissions, $workflowPermission);Related: Requires fix in pimcore/pimcore - lib/Workflow/Manager.php (pimcore/pimcore#18938)