Fix for #101 (access to restricted resources)

[BertKooij]

This PR will fix #101. The resource will be checked against access through the resource group.

[Mark-H]

Thanks for sending a PR, @beko1997! Appreciate that :)

Left a few inline comments, but also want to discuss the way the conditions are applied in get_versions/getlist... the logic seems quite complex, primarily due to the check for access_resource_group_enabled causing 3 different scenarios to be needed. It also only checks resource groups and not, say, context permissions, so I'm wondering if this is the best approach. It is pragmatic (better than no check at all) and should be fairly performant though, so, a pretty good start.

Have you looked at using the $obj->checkPolicy method on modAccessibleObject instances? We'd need to grab the modResource object (if it still exists) but then VersionX would support any type of policy.

[Mark-H]

Ew, Mark-from-5-years-ago, y u no use braces 😧

[Mark-H]

This check should be removed; just because a resource no longer exists does not mean it should not be available in VersionX. Restoring resources that were deleted is kind of a big deal for a versioning plugin.

[BertKooij]

Yes, you're right. I will check for a better solution later on.

[BertKooij]

Left a few inline comments, but also want to discuss the way the conditions are applied in get_versions/getlist... the logic seems quite complex, primarily due to the check for access_resource_group_enabled causing 3 different scenarios to be needed. It also only checks resource groups and not, say, context permissions, so I'm wondering if this is the best approach. It is pragmatic (better than no check at all) and should be fairly performant though, so, a pretty good start. ~ @Mark-H

Indeed, it looks a bit complex. I'm also not 100% convinced this will cover all the possibilities for restricting access to a resource. It is primarily based on the findPolicy method inside the ModResource object of MODX and than rewritten for using joins: https://github.com/modxcms/revolution/blob/2ad1f763a32afd28fd5b89e7f0ba5ceaa26bfad1/core/model/modx/modresource.class.php#L829.

MODX is using this for example for receiving the resource tree. But this iterates over all resources before deciding whether the user has access. Using this with VersionX2 will make things a lot slower (and messier).

Have you looked at using the $obj->checkPolicy method on modAccessibleObject instances? We'd need to grab the modResource object (if it still exists) but then VersionX would support any type of policy. ~ @Mark-H

This part is interesting, will check it later. Not having a 100% guarantee for having the corresponding ModResource makes it pretty difficult though. A edge-case would be having a restricted resource which is later removed. In that case it would not be possible to determine whether the user can access the version at all. Maybe a version should be kept of modResourceGroupResource as well ;)

I will spend a bit of time in the next few days on this PR.

[Mark-H]

I'd be interested in seeing a new and improved version of this, but given the refactoring to controllers and processors it would likely need to be re-implemented.