Limit BreakLock action usage by permission

Open on Drupal.org →

Created on 16 November 2019, over 5 years ago

Updated 2 April 2024, about 1 year ago

Problem/Motivation

In content list, the Break Lock action is visible for anyone, and the access function doesn't check for the `break content lock` permission. If a user tries to do batch with that on nodes where he doesn't have permission to edit, it returns a message Permission denied. Also, the user shouldn't be able to break content lock without this permission.

Steps to Reproduce

Here's a bug where a user can break locks without the `break content lock` permission:

1. Create editor role without `break content lock` permission and access to edit nodes created by users with this role.
2. Create editor user (username editor, password editor)
3. Log in with editor user and create a node
4. In another browser log in with the super admin and open the node created by the editor user, this will create the lock.
5. Back in the browser for the editor user, go to the Locked Content view and select the node created by this user (editor user) from the bulk operation column and apply the "Break lock node" action.
6. Expected, as this role lacks the `break content lock` permission, they should not be able to break the lock under any circumstances.
7. Because the user has update access to their self created node, the `break content lock` action passes the access function and they are able to break the lock.

Proposed resolution

Update access function to check for the `break content lock` permission as well as the update access.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

✨ Feature request

Status

Needs work

Version

2.0

Component

Code

Created by

🇸🇰Slovakia kaszarobert

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Incomplete comments

Sign in to follow issues

Merge Requests

!30Limit BreakLock action usage by permission
Open
🇺🇸United States smustgrave
updated about 1 year ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

First commit to issue fork.
Merge request !30Issue #3094860 by kaszarobert: Limit BreakLock action usage by permission → (Open) created by smustgrave
Comment about 1 year ago →
🇺🇸United States smustgrave
Change makes sense to me. Not sure if the permission check should happen first though. Will leave in review.
Pipeline finished with Success
about 1 year ago
Total: 227s
#129118
Comment about 1 year ago →
🇺🇸United States smustgrave
Rebased
Pipeline finished with Success
about 1 year ago
Total: 226s
#130685
Comment about 1 year ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
Comment about 1 year ago →
🇺🇸United States smustgrave
Hiding patches.
Comment about 1 year ago →
🇺🇸United States smustgrave
Rebased
Pipeline finished with Success
about 1 year ago
Total: 258s
#131583
Comment about 1 year ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
Given this is about access it's always great to see some automated test coverage.
Status changed to Needs work about 1 year ago9:54am 2 April 2024
Comment about 1 year ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
Assigned to smustgrave
Comment about 1 year ago →
🇺🇸United States smustgrave
Should have some time this week to write a test

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024