"Has same role as creator" permission settings are not applied

[manu7823]

Problem

Restricting "Read" and "Update" permissions to "Has same role as creator" doesn't work.

Steps to reproduce

1. Create two roles and two users
2. Grant only Has same role as creator permissions for the navigation plugin read and update operations

3. Assign one user to the first role and the other one to the second role, login with the first user and create a new navigation item

4. Logout with the first user, login with the second user and you can still see and edit the created navigation item of the first user with a different role than the currently logged in user.

Setup

"dependencies": {
"@strapi/plugin-i18n": "~4.10.1",
"@strapi/plugin-users-permissions": "~4.10.1",
"@strapi/strapi": "~4.10.1",
"better-sqlite3": "^8.0.1",
"mysql": "^2.18.1",
"strapi-plugin-navigation": "^2.2.8"
}

[cyp3rius]

@manu7823 what you're describing is more like a "virtual tenancy" so single user / role can have and edit dedicated navigation. Operating on the same navigation structure and showing items per roles won't be possible because of duplicates which may happen.

It's a custom solution in my opinion and honestly we did something like that based on Strapi + Navigation plugin for our client by extending Navigation Collection with tenant relation and assigning roles per tenants.

I'm worried that your case is too custom to make it part of common codebase unfortunately. Anyway keep your eyes open, during the Strapi Conf such use case might be presented ;)

[manu7823]

@cyp3rius that's exactly what I try to achieve! Thank you for the hint according the Strapi Conf :) Is there any way you would share the code you wrote for your client with me?

[cyp3rius]

I might not share the codebase as that's a business value of a client but discuss and showcase the idea ;)

[quarkcore]

@manu7823 what you're describing is more like a "virtual tenancy" so single user / role can have and edit dedicated navigation. Operating on the same navigation structure and showing items per roles won't be possible because of duplicates which may happen.

It's a custom solution in my opinion and honestly we did something like that based on Strapi + Navigation plugin for our client by extending Navigation Collection with tenant relation and assigning roles per tenants.

I'm worried that your case is too custom to make it part of common codebase unfortunately. Anyway keep your eyes open, during the Strapi Conf such use case might be presented ;)

By now, this issue raises the problem that someone without permission, who should be able to edit navigation, could see other entity titles in edit mode inside navigation. That's a lack of business policies somehow. So, it's not usable if the application needs the combination of a role that can edit navigation but should only be able to have information about entities within its own role or things created on their own.

This makes the library some kind of backdoor and not usable in such cases... :(

[Edit[
To give context: i need to implement a feature where a given role can edit content of its own. as part of the content the role owners should be able to make use of some sort of sub navigations (mostly sidebars with links to other pages of there department) and at the same time aren't allowed to edit things like the main navigation.