Content Translation Operations are 403 for Users with Admin Role

Created on 13 August 2017, over 7 years ago
Updated 5 December 2023, about 1 year ago

Content Translation module provides routes to translate any entity through a route subscriber and the following link templates as defined in a hook_entity_alter implementation:

$translations_path = $entity_type->getLinkTemplate('canonical') . '/translations';
$entity_type->setLinkTemplate('drupal:content-translation-overview', $translations_path);
$entity_type->setLinkTemplate('drupal:content-translation-add', $translations_path . '/add/{source}/{target}');
$entity_type->setLinkTemplate('drupal:content-translation-edit', $translations_path . '/edit/{language}');
$entity_type->setLinkTemplate('drupal:content-translation-delete', $translations_path . '/delete/{language}');

However, those routes may not accessible to any user with permission to edit the entity itself, even if that user is user 1. From https://www.drupal.org/node/2677778#comment-11022487: β†’

By design, it appears, ContentTranslationManageAccessCheck blocks editors access to the entity.$entity_type_id.content_translation_edit route:

 // Editors have no access to the translation operations, as entity
 // access already grants them an equal or greater access level.
 $templates = ['update' => 'edit-form', 'delete' => 'delete-form'];
 if ($entity->access($operation) && $entity_type->hasLinkTemplate($templates[$operation])) {
   return AccessResult::forbidden()->cachePerPermissions();
 }

It seems wrong to me that user 1, or any user with the admin role, should get a 403 access denied for an operation that a translator can accomplish. This seems to be true even if user 1 also has the translator role.

Because of this decision, one cannot count on the translation link templates to be a reliable path for anyone who should be able to translate content. It is impossible, for example, to create a view that will allow administrators to edit content translations in any language with a single click; the edit-form link template points to whatever language in which the current page is being viewed, and the drupal:content-translation-edit link template is 403. Even on the translations overview page, this situation leads to many workarounds that seem inherently buggy, e.g. (from the same comment referenced above):

And the overview controller always provides editors with links to the entity edit page:

  if ($update_access->isAllowed() && $entity_type->hasLinkTemplate('edit-form')) {
    $links['edit']['url'] = $entity->urlInfo('edit-form');
    $links['edit']['language'] = $language;
  }
  elseif (!$is_original && $translation_access->isAllowed()) {
    $links['edit']['url'] = $edit_url;
  }

But the entity.$entity_type_id.edit_form route always loads the translation of the currently negotiated language.

Steps to reproduce:

  1. Create node/1
  2. Enable content translation
  3. Add a language
  4. Add a translation for node/1
  5. Create a "translator" role that has the permissions for Content Translation
  6. Create a user with the "translator" role

Expected behavior:

  • As the translator user, node/1/translations/edit/{langcode} helps me translate the content
  • As the translator user, node/1/translations/delete/{langcode} helps me translate the content
  • As the admin user or user 1, node/1/translations/edit/{langcode} helps me translate the content
  • As the admin user or user 1, node/1/translations/delete/{langcode} helps me translate the content

What happens instead:

  • As the translator user, node/1/translations/edit/{langcode} is available
  • As the translator user, node/1/translations/delete/{langcode} is available
  • As the admin user or user 1, node/1/translations/edit/{langcode} is 403 Access Denied
  • As the admin user or user 1, node/1/translations/delete/{langcode} is 403 Access Denied

Proposed resolution:

  • Remove the access checks that deny access to admin users
  • Optionally remove workarounds to send admin users to edit-form link template
  • Optionally redirect admin users to the proper edit form instead of 403
πŸ› Bug report
Status

Closed: duplicate

Version

9.2

Component
Content translationΒ  β†’

Last updated 3 days ago

No maintainer
Created by

πŸ‡ΊπŸ‡ΈUnited States dnotes

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024