group/{group}/node/create uses the permissions of group/{group}/node/add

Created on 26 May 2017, over 7 years ago
Updated 22 January 2024, 11 months ago

Expected behavior: Creating a new node and relating a node have different permissions.
Actual behavior: Both use the permissions for relating a node.

The routes for group/{group}/node/create and group/{group}/node/add set a flag called $create_mode to signify which of the two is being done.

However, as the permissions go through the core entity layer, that flag is lost. When GroupContentAccessControlHandler::checkCreateAccess() checks the permission it only calls GroupContentEnablerBase::createAccess() which is appropriate when we're relating/adding existing node but not creating a new one.

GroupContentAccessControlHandler::checkCreateAccess() needs to have an if/else somehow and call createAccess() for /add (relating) or createEntityAccess() for /create

πŸ› Bug report
Status

RTBC

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States ericras

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024