Merge branch '2025.4' into 3207-translations-v2

lukmzig · lukmzig · commit fd1eca089519 · 2026-04-02T10:00:10.000+02:00
diff --git a/composer.json b/composer.json
@@ -17,12 +17,12 @@
   "prefer-stable": true,
   "minimum-stability": "dev",
   "require": {
-    "php": "~8.3.0 || ~8.4.0 || ~8.5.0",
+    "php": "~8.3.0 || ~8.4.0",
     "league/csv": "^9.27",
     "nesbot/carbon": "^3.8.4",
-    "pimcore/static-resolver-bundle": "^3.5.0 || ^2026.1",
-    "pimcore/generic-data-index-bundle": "^2.4.0 || ^2026.1",
-    "pimcore/pimcore": "^12.3 || ^2026.1",
+    "pimcore/static-resolver-bundle": "^3.5.0 ",
+    "pimcore/generic-data-index-bundle": "^2.4.0",
+    "pimcore/pimcore": "^12.3",
     "zircote/swagger-php": "^4.8 || ^5.0",
     "ext-zip": "*",
     "symfony/mercure": "^0.6.5",
@@ -66,7 +66,7 @@
   },
   "extra": {
     "branch-alias": {
-      "dev-1.x": "1.0.x-dev"
+      "dev-2025.4": "1.x-dev"
     },
     "pimcore": {
       "bundles": [
diff --git a/doc/02_Installation_and_Configuration/README.md b/doc/02_Installation_and_Configuration/README.md
@@ -32,7 +32,9 @@ security:
     firewalls:
         pimcore_studio: '%pimcore_studio_backend.firewall_settings%'
     access_control:
-      - { path: ^/pimcore-studio/api/(docs|docs/json|translations|user/reset-password)$, roles: PUBLIC_ACCESS }
+      - { 
+            path: ^/pimcore-studio/api/(docs|docs/json|translations|user/reset-password|setting/admin/thumbnail)$, roles: PUBLIC_ACCESS 
+        }
       - { path: ^/pimcore-studio/api, roles: ROLE_PIMCORE_USER }
 ```
 
@@ -48,7 +50,9 @@ security:
         pimcore_mcp: '%pimcore_studio_backend.mcp_firewall_settings%'
         pimcore_studio: '%pimcore_studio_backend.firewall_settings%'
     access_control:
-      - { path: ^/pimcore-studio/api/(docs|docs/json|translations|user/reset-password)$, roles: PUBLIC_ACCESS }
+      - { 
+            path: ^/pimcore-studio/api/(docs|docs/json|translations|user/reset-password|setting/admin/thumbnail)$, roles: PUBLIC_ACCESS 
+        }
       - { path: ^/pimcore-studio/api, roles: ROLE_PIMCORE_USER }
       - { path: ^/pimcore-mcp/, roles: ROLE_PIMCORE_USER }
 ```
diff --git a/src/Gdpr/Provider/AssetsProvider.php b/src/Gdpr/Provider/AssetsProvider.php
@@ -17,14 +17,17 @@
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Provider\AssetQueryProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\QueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\AssetSearchServiceInterface;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Filter\MappedParameter\FilterParameter;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Provider\Legacy\AssetExporterInterface;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Schema\GdprDataRow;
 use Pimcore\Bundle\StudioBackendBundle\Response\Collection;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constant\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Pimcore\Model\Asset;
 use Symfony\Component\HttpFoundation\Response;
+use function sprintf;
 
 /**
  * @internal
@@ -130,6 +133,10 @@ public function getSingleItemForDownload(int $id): Response
             throw new NotFoundException('Asset Not Found', $id);
         }
 
+        if (!$asset->isAllowed(ElementPermissions::VIEW_PERMISSION)) {
+            throw new ForbiddenException(sprintf('Access Denied for asset with id "%d".', $asset->getId()));
+        }
+
         return $this->assetExporter->doExportData($asset);
     }
 
diff --git a/src/Gdpr/Provider/DataObjectProvider.php b/src/Gdpr/Provider/DataObjectProvider.php
@@ -17,14 +17,17 @@
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Provider\DataObjectQueryProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\QueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\DataObjectSearchServiceInterface;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Filter\MappedParameter\FilterParameter;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Provider\Legacy\ObjectExporterInterface;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Schema\GdprDataRow;
 use Pimcore\Bundle\StudioBackendBundle\Response\Collection;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constant\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Pimcore\Model\DataObject;
 use Pimcore\Model\DataObject\Concrete;
+use function sprintf;
 
 /**
  * @internal
@@ -132,6 +135,10 @@ public function getSingleItemForDownload(int $id): array
             throw new NotFoundException('Requested object is not a Concrete data object', $id);
         }
 
+        if (!$object->isAllowed(ElementPermissions::VIEW_PERMISSION)) {
+            throw new ForbiddenException(sprintf('Access Denied for object with id "%d".', $object->getId()));
+        }
+
         $export = [
             'id'            => $object->getId(),
             'fullPath'      => $object->getFullPath(),
diff --git a/src/Gdpr/Provider/PimcoreUserProvider.php b/src/Gdpr/Provider/PimcoreUserProvider.php
@@ -213,6 +213,6 @@ public function getSortPriority(): int
      */
     public function getRequiredPermissions(): array
     {
-        return [UserPermissions::PIMCORE_USER->value];
+        return [UserPermissions::USER_MANAGEMENT->value];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,6 @@ public function getSortPriority(): int`
`213`	`213`	`*/`
`214`	`214`	`public function getRequiredPermissions(): array`
`215`	`215`	`{`
`216`		`- return [UserPermissions::PIMCORE_USER->value];`
	`216`	`+ return [UserPermissions::USER_MANAGEMENT->value];`
`217`	`217`	`}`
`218`	`218`	`}`