User cannot edit Widget if they don't have permissions to Layout/Display

I have a user created simply to edit the dataset. This works well in 1.7. However with a 1.8 PLAYER, the user can no longer edit the dataset, getting a Not Found error.

This is the error in the logs:

Not Found#0 /var/customers/webs/displaym2/lib/Entity/Schedule.php(907): Xibo\Factory\DayPartFactory->getById(3) #1 /var/customers/webs/displaym2/lib/Entity/Schedule.php(658): Xibo\Entity\Schedule->calculateDayPartTimes(Object(Jenssegers\Date\Date), Object(Jenssegers\Date\Date)) #2 /var/customers/webs/displaym2/lib/Entity/Schedule.php(603): Xibo\Entity\Schedule->generateMonth(Object(Jenssegers\Date\Date)) #3 /var/customers/webs/displaym2/lib/Service/DisplayNotifyService.php(411): Xibo\Entity\Schedule->getEvents(Object(Jenssegers\Date\Date), Object(Jenssegers\Date\Date)) #4 /var/customers/webs/displaym2/lib/Entity/DataSet.php(601): Xibo\Service\DisplayNotifyService->notifyByDataSetId(2) #5 /var/customers/webs/displaym2/lib/Entity/DataSet.php(477): Xibo\Entity\DataSet->notify() #6 /var/customers/webs/displaym2/lib/Controller/DataSetData.php(365): Xibo\Entity\DataSet->save(Array) #7 [internal function]: Xibo\Controller\DataSetData->edit('2', '2') #8 /var/customers/webs/displaym2/vendor/akrabat/rka-slim-controller/RKA/Slim.php(79): call_user_func_array(Array, Array) #9 [internal function]: RKA\Slim->RKA\{closure}('2', '2') #10 /var/customers/webs/displaym2/vendor/slim/slim/Slim/Route.php(468): call_user_func_array(Object(Closure), Array) #11 /var/customers/webs/displaym2/vendor/slim/slim/Slim/Slim.php(1355): Slim\Route->dispatch() #12 /var/customers/webs/displaym2/vendor/slim/slim/Slim/Middleware/Flash.php(85): Slim\Slim->call() #13 /var/customers/webs/displaym2/vendor/slim/slim/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call() #14 /var/customers/webs/displaym2/lib/Middleware/Actions.php(141): Slim\Middleware\MethodOverride->call() #15 /var/customers/webs/displaym2/lib/Middleware/Theme.php(35): Xibo\Middleware\Actions->call() #16 /var/customers/webs/displaym2/lib/Middleware/WebAuthentication.php(132): Xibo\Middleware\Theme->call() #17 /var/customers/webs/displaym2/lib/Middleware/CsrfGuard.php(62): Xibo\Middleware\WebAuthentication->call() #18 /var/customers/webs/displaym2/lib/Middleware/State.php(109): Xibo\Middleware\CsrfGuard->call() #19 /var/customers/webs/displaym2/lib/Middleware/Storage.php(47): Xibo\Middleware\State->call() #20 /var/customers/webs/displaym2/lib/Middleware/Xmr.php(36): Xibo\Middleware\Storage->call() #21 /var/customers/webs/displaym2/web/modules/liveeditor/LiveEditor.php(39): Xibo\Middleware\Xmr->call() #22 /var/customers/webs/displaym2/vendor/slim/slim/Slim/Slim.php(1300): Xibo\Custom\LiveEditor->call() #23 /var/customers/webs/displaym2/web/index.php(124): Slim\Slim->run() #24 {main}

It seems like the system is trying to notify the display that the dataset has changed but the user does not have permissions to do so.

If I take out this piece of code:
$this->displayFactory->getDisplayNotifyService()->notifyByDataSetId($this->dataSetId);

in /var/customers/webs/displaym2/lib/Entity/DataSet.php

Things work properly again. I think the notification factory should check for permissions?

That’s interesting and you might be correct, just to clarify:

I’ve a user that has access only to Datasets page and to one existing dataset, that happens to be in use on a layout scheduled to one of my displays.

My user has no permissions to layouts or display pages (or individual displays/layouts), yet I can edit the dataset just fine as that user - could you please tell me the exact use case, so I can recreate it as close as possible to what you have?

It’s the same, the user has permissions to edit the dataset but nothing else. It works when the player is on Android 1.7, but when the player is upgraded to Android 1.8, it tries to notify the display of the change and I assume it doesn’t have permissions to do so, resulting in the UI displaying “not found” error, the dataset doesn’t update and the stack trace I’ve shown attached is in the logs when I put the system on debug mode.

The dataset edit does continue to work when you’re logged in as an admin, just not as a user. As you can see from the stack trace the Layout is also in a Daypart which that user can’t access which is where the first error originates?

I see, the issue is indeed with the custom created daypart, sorry I didn’t catch that before.

I’ve created a bug report for it here - https://github.com/xibosignage/xibo/issues/1214

Thank you for bringing this to our attention.