[BUG] Gate open and remove actions in relation tables on element permissions

composer.json

@@ -1,5 +1,6 @@
 {
   "name": "pimcore/studio-backend-bundle",
+  "version": "2025.4.5",
   "license": "proprietary",
   "type": "pimcore-bundle",
   "description": "Pimcore Studio Backend Bundle",

config/data_objects.yaml

@@ -25,6 +25,8 @@ services:
   Pimcore\Bundle\StudioBackendBundle\DataObject\Service\ReplaceServiceInterface:
     class: Pimcore\Bundle\StudioBackendBundle\DataObject\Service\ReplaceService
 
+  Pimcore\Bundle\StudioBackendBundle\DataObject\Service\RelationNormalizationContext: ~
+
   Pimcore\Bundle\StudioBackendBundle\DataObject\Service\DataServiceInterface:
     class: Pimcore\Bundle\StudioBackendBundle\DataObject\Service\DataService
 

src/DataIndex/Grid/GridSearch.php

@@ -113,8 +113,21 @@
         UserInterface $user
     ): AssetSearchResult|DataObjectSearchResult|DocumentSearchResult {
         $type = $this->getStudioElementType($type);
-        /** @var AssetQueryInterface|DataObjectQueryInterface|DocumentQueryInterface $query */
-        $query = $this->getSearchQuery($type, $gridParameter, $user);
+
+        // When filtering by explicit IDs (relation context), skip workspace and path
+        // restrictions — the user already has a reference to these objects via the
+        // relation, so showing their field data does not expose new information.
+        $filter = $gridParameter->getFilters();
+        $byIds = $filter->getSimpleColumnFilterByType('system.ids') !== null;
+
+        if ($byIds) {
+            $query = $this->queryFactory->create($type);
+            /** @var AssetQueryInterface|DataObjectQueryInterface|DocumentQueryInterface $query */
+            $query = $this->filterService->applyFilters($query, $filter, $type);
+        } else {
+            /** @var AssetQueryInterface|DataObjectQueryInterface|DocumentQueryInterface $query */
+            $query = $this->getSearchQuery($type, $gridParameter, $user);
+        }
 
         return match($type) {
             ElementTypes::TYPE_ASSET => $this->assetSearchService->searchAssets($query),

src/DataObject/Service/DataService.php

@@ -54,6 +54,7 @@ public function __construct(
         private DataAdapterServiceInterface $dataAdapterService,
         private InheritanceServiceInterface $inheritanceService,
         private WorkflowDetailsServiceInterface $workflowDetailsService,
+        private RelationNormalizationContext $normalizationContext,
     ) {
     }
 
@@ -286,13 +287,18 @@ private function removeEmptyValues(array $previewFields): array
      */
     private function getDetailObjectData(Concrete $dataObject, array $fieldDefinitions): array
     {
-        $data = [];
-        foreach ($fieldDefinitions as $key => $fieldDefinition) {
-            $data[$key] = $this->getDetailValue(
-                $dataObject,
-                $this->getValidFieldValue($dataObject, $key),
-                $fieldDefinition
-            );
+        $this->normalizationContext->setParent($dataObject);
+        try {
+            $data = [];
+            foreach ($fieldDefinitions as $key => $fieldDefinition) {
+                $data[$key] = $this->getDetailValue(
+                    $dataObject,
+                    $this->getValidFieldValue($dataObject, $key),
+                    $fieldDefinition
+                );
+            }
+        } finally {
+            $this->normalizationContext->setParent(null);
         }
 
         return $data;

src/DataObject/Service/RelationNormalizationContext.php

@@ -0,0 +1,38 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * This source file is available under the terms of the
+ * Pimcore Open Core License (POCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (https://www.pimcore.com)
+ *  @license    Pimcore Open Core License (POCL)
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\DataObject\Service;
+
+use Pimcore\Model\DataObject\Concrete;
+
+/**
+ * Holds the parent (owner) object currently being normalized so that nested
+ * relation adapters can check save/publish permissions against it without
+ * requiring the parent to be threaded through every normalize() signature.
+ *
+ * @internal
+ */
+class RelationNormalizationContext
+{
+    private ?Concrete $parent = null;
+
+    public function setParent(?Concrete $parent): void
+    {
+        $this->parent = $parent;
+    }
+
+    public function getParent(): ?Concrete
+    {
+        return $this->parent;
+    }
+}

src/Element/Schema/RelatedElementData.php

@@ -22,7 +22,7 @@
 #[Schema(
     schema: 'RelatedElementData',
     title: 'RelatedElementData',
-    required: ['id', 'type', 'subtype', 'fullPath', 'isPublished'],
+    required: ['id', 'type', 'subtype', 'fullPath', 'isPublished', 'hasAccess', 'canEdit'],
     type: 'object'
 )]
 final readonly class RelatedElementData
@@ -38,6 +38,10 @@
         private string $fullPath,
         #[Property(description: 'Is the element published', type: 'boolean', example: true)]
         private ?bool $isPublished = null,
+        #[Property(description: 'Whether the current user has view access to the element', type: 'boolean', example: true)]
+        private bool $hasAccess = true,
+        #[Property(description: 'Whether the current user has save or publish permission on the element', type: 'boolean', example: true)]
+        private bool $canEdit = true,
     ) {
     }
 
@@ -65,4 +69,14 @@
     {
         return $this->isPublished;
     }
+
+    public function getHasAccess(): bool
+    {
+        return $this->hasAccess;
+    }
+
+    public function getCanEdit(): bool
+    {
+        return $this->canEdit;
+    }
 }

src/Element/Service/ElementDataService.php

@@ -13,31 +13,58 @@
 
 namespace Pimcore\Bundle\StudioBackendBundle\Element\Service;
 
+use Pimcore\Bundle\StudioBackendBundle\DataObject\Service\RelationNormalizationContext;
 use Pimcore\Bundle\StudioBackendBundle\Element\Schema\RelatedElementData;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\UserNotFoundException;
+use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\Util\Trait\ElementProviderTrait;
 use Pimcore\Model\DataObject\Concrete;
 use Pimcore\Model\Document;
 use Pimcore\Model\Element\ElementInterface;
+use Pimcore\Model\User;
 
 /**
  * @internal
  */
-final readonly class ElementDataService implements ElementDataServiceInterface
+readonly class ElementDataService implements ElementDataServiceInterface
 {
     use ElementProviderTrait;
 
+    public function __construct(
+        protected SecurityServiceInterface $securityService,
+        protected RelationNormalizationContext $normalizationContext,
+    ) {
+    }
+
     public function getRelatedElementData(ElementInterface $element): RelatedElementData
     {
+        $hasAccess = true;
+        $canEdit = true;
+        try {
+            $user = $this->securityService->getCurrentUser();
+            /** @var User $user */
+            $hasAccess = $element->isAllowed('view', $user);
+            $parent = $this->normalizationContext->getParent();
+            if ($parent !== null) {
+                $canEdit = $parent->isAllowed('save', $user) || $parent->isAllowed('publish', $user);
+            }
+        } catch (UserNotFoundException) {
+            $hasAccess = false;
+            $canEdit = false;
+        }
+
         return new RelatedElementData(
             $element->getId(),
             $this->getElementType($element, true),
             $this->getSubType($element),
             $element->getRealFullPath(),
-            $this->getPublished($element)
+            $this->getPublished($element),
+            $hasAccess,
+            $canEdit,
         );
     }
 
-    private function getSubType(ElementInterface $element): string
+    protected function getSubType(ElementInterface $element): string
     {
         if ($element instanceof Concrete) {
             return $element->getClassName();
@@ -46,7 +73,7 @@
         return $element->getType();
     }
 
-    private function getPublished(ElementInterface $element): ?bool
+    protected function getPublished(ElementInterface $element): ?bool
     {
         if ($element instanceof Concrete || $element instanceof Document) {
             return $element->getPublished();

src/Util/Trait/ElementProviderTrait.php

@@ -103,7 +103,7 @@ private function getElementClass(ElementInterface $element): string
     /**
      * @throws InvalidElementTypeException
      */
-    private function getElementType(ElementInterface $element, bool $getCoreType = false): string
+    protected function getElementType(ElementInterface $element, bool $getCoreType = false): string
     {
         return match (true) {
             $element instanceof Asset => ElementTypes::TYPE_ASSET,