searchAdmin findAction: late permission check leads to no items in selector modal

[Corepex]

Bug Report

Expected behavior

When assigning a object to a object (via many-to-one) relation field the selector modal opens and should display all objects which the permission is given for.

Actual behavior

In the selector modal pimcore obviously selects the first 50 dataobjects and then checks the permissions afterwards. In some cases within the first 50 selected dataobjects there are no objects with valid permissions -- no results are displayed or at leat not 50.
If the user selects all from the dropdown it will display all objects with right permissions.

Steps to reproduce

Prerequirements

• A Class called Attributes (the fields doesnt matter)
• A Class called Machines (one ralation field (many-to-one allowed classes: Attributes) inside)
• 1 Folder called Machines (folder for objects with the class Machine)
• 1 Folder called Attributes (folder for objects with the class Attribute)
  • generate about 200 Attribute Objects
  • create a subfolder called spezial an move a few Attributes inside (tested with 5 in subfolder)
• 1 Testuser

Reproduce

1. Create a User (without Admin rights)
   • give the user the following permissions: Objects
   • Switch to workspaces tab
     • add the spezial folder and check List and View
     • add the Machines folder and give the user all permissions
2. Log in with this user
3. Create a new Machine object (or use an existing ... doesnt matter)
4. Click on the search icon beside the href field

Behavior
You shouldnt see all items created inside the spezial folder and in the right bottom you see "No items found".
Now select Items per Page: 200 or all ... now you see all elements! (although you should see all items befor with the 50 items filter).

Error file
I think the error occurs because of the functiondesign in file:
https://github.com/pimcore/pimcore/blob/652a614a0c50d1b33212471e548e3cc96a517aad/bundles/AdminBundle/Controller/Searchadmin/SearchController.php#L290 - permissions are checked after select is done

[stale]

Thanks a lot for reporting the issue. The issue was not considered by us as "Priority" or "Backlog", so we're not gonna work on that anytime soon. In case this is a bug report, please create a pull request fixing the issue, we'll then review it as soon as possible. If you're interested in contributing a feature, please contact us first here before creating a pull request, we'll then decide whether we'd accept it or not. Thanks for your understanding.