group/{group}/node/create uses the permissions of group/{group}/node/add

Created on 26 May 2017, over 7 years ago

Updated 22 January 2024, 10 months ago

Expected behavior: Creating a new node and relating a node have different permissions.
Actual behavior: Both use the permissions for relating a node.

The routes for group/{group}/node/create and group/{group}/node/add set a flag called $create_mode to signify which of the two is being done.

However, as the permissions go through the core entity layer, that flag is lost. When GroupContentAccessControlHandler::checkCreateAccess() checks the permission it only calls GroupContentEnablerBase::createAccess() which is appropriate when we're relating/adding existing node but not creating a new one.

GroupContentAccessControlHandler::checkCreateAccess() needs to have an if/else somehow and call createAccess() for /add (relating) or createEntityAccess() for /create

🐛 Bug report

Status

RTBC

Version

1.0

Component

Code

Created by

🇺🇸United States ericras

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇬🇧United Kingdom Dubs
This patch works for me too - please can this be merged in?
Comment 10 months ago →
🇺🇸United States SocialNicheGuru
This is already part of group 1.6

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024