Bulk operations does not respect entity access

Created on 12 January 2014, almost 11 years ago
Updated 12 September 2023, over 1 year ago

Problem/Motivation

On bulk forms no access checking is performed. This means that once you got access to admin/people you can pretty much do whatever you want

Entity access checks are not performed when executing a bulk operation from entity overview pages, such as the content overview page (admin/content) or the user overview page (admin/people).

Proposed resolution

  • Add a new method on the ActionInterface:
    +  public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE);
    
  • Each action plugin has to implement based upon the object, whether the account can perform actions on it
  • We rely on the field access checking, when we just update $node->status, but we rely on
    entity access checking for things deleting nodes
  • In the actual bulk operation code we check access for the chosen action on each row, and execute it, if access was granted

Remaining tasks

<!-- See https://drupal.org/core-mentoring/novice-tasks for tips on identifying novice tasks. Delete or add "Novice" from the Novice? column in the table below as appropriate. Uncomment tasks as the issue advances. Update the Complete? column to indicate when they are done, and maybe reference the comment number where they were done. -->

User interface changes

None

API changes

See beta evaluation

Beta phase evaluation

<!--Uncomment the relevant rows for the issue. -->

Original issue

How to reproduce

For user admin view

  1. Create a user (useradmin with uid 2) with the following permissions:
    • administer users
    • access user profiles
  2. Implement hook_user_access() in a custom module and deny delete access on any user entity (see code example below).
  3. Create an authenticated user (dummy with uid 3).
  4. Login as useradmin.
  5. Try to go the cancel page of the dummy user (user/3/cancel). You should get an access denied page, so you are not allowed to cancel the user.
  6. Go the user overview page (admin/people).
  7. Select the dummy user from the overview and try to apply the action "Cancel the selected user account(s)" on it.
    You will go to admin/people/cancel and you are able to select a cancel method. If you choose, for example, "Delete the account and its content." the user is deleted although you shouldn't be able to do that. $entity->access('delete') will return FALSE for user 3.

For node admin view

The steps to reproduce for nodes are similar, though if the user does not have the permission "administer nodes", access to admin/content/node/delete is denied even if the user is allowed to delete the selected node.

Implementation of hook_user_access()

/**
 * Implements hook_ENTITY_TYPE_access() for entity type "user".
 */
function mymodule_user_access($entity, $operation, $account) {
  if ($operation == 'delete') {
    return FALSE;
  }
}
πŸ› Bug report
Status

Fixed

Version

8.0 ⚰️

Component
ViewsΒ  β†’

Last updated about 7 hours ago

Created by

πŸ‡³πŸ‡±Netherlands megachriz

Live updates comments and jobs are added and updated live.
  • VDC

    Related to the Views in Drupal Core initiative.

  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024