You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I believe there is an inconsistency in the permission check order within the getGlobalSearchResultUrl method.
Description
In V4 and V5, the method checks view permission before edit, while in V3 the order is the opposite.
This results in different behavior across versions and may lead to unintended UX.
Current behavior (V4 / V5)
view is checked first
edit is checked afterwards
This means that even if a user has edit permission, they may still be redirected to the view page instead of edit.
Previous behavior (V3)
edit is checked first
view is used as fallback
This ensures that users with higher privileges (edit) are directed to the correct page.
V4 V5
publicstaticfunctiongetGlobalSearchResultUrl(Model$record): ?string
{
// In the future, Filament will support global search in nested resources.// For now, you must specify custom global search result URLs to do so,// since there are missing URL parameters from the parent records.if (static::getParentResourceRegistration()) {
returnnull;
}
$canView = static::canView($record);
if (static::hasPage('view') && $canView) {
returnstatic::getUrl('view', ['record' => $record]);
}
$canEdit = static::canEdit($record);
if (static::hasPage('edit') && $canEdit) {
returnstatic::getUrl('edit', ['record' => $record]);
}
if ($canView) {
returnstatic::getUrl(parameters: [
'tableAction' => 'view',
'tableActionRecord' => $record,
]);
}
if ($canEdit) {
returnstatic::getUrl(parameters: [
'tableAction' => 'edit',
'tableActionRecord' => $record,
]);
}
returnnull;
}
When determining access, the system should check the edit permission first, and fall back to view if edit is not granted.
Context
In most cases, a user who has edit permission is also allowed to view. However, there are valid scenarios where a user is granted view permission but not edit.
Problem
Currently, the permission check order does not account for this distinction, which can lead to incorrect access control behavior.
Proposed behavior
Check edit permission first
If edit is denied, then check view permission
Allow access if either condition is satisfied according to the intended context.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Package
Panel builder
Package Version
v5
How can we help you?
Hi,
I believe there is an inconsistency in the permission check order within the getGlobalSearchResultUrl method.
Description
In V4 and V5, the method checks view permission before edit, while in V3 the order is the opposite.
This results in different behavior across versions and may lead to unintended UX.
Current behavior (V4 / V5)
view is checked first
edit is checked afterwards
This means that even if a user has edit permission, they may still be redirected to the view page instead of edit.
Previous behavior (V3)
edit is checked first
view is used as fallback
This ensures that users with higher privileges (edit) are directed to the correct page.
V4 V5
V3
packages/panels/src/Resources/Resource.php
Expected behavior
When determining access, the system should check the edit permission first, and fall back to view if edit is not granted.
Context
In most cases, a user who has edit permission is also allowed to view. However, there are valid scenarios where a user is granted view permission but not edit.
Problem
Currently, the permission check order does not account for this distinction, which can lead to incorrect access control behavior.
Proposed behavior
Check edit permission first
If edit is denied, then check view permission
Allow access if either condition is satisfied according to the intended context.
Am I wrong?
Beta Was this translation helpful? Give feedback.
All reactions