Limit BreakLock action usage by permission

Open on Drupal.org →

Created on 16 November 2019, almost 5 years ago

Updated 2 April 2024, 5 months ago

Problem/Motivation

In content list, the Break Lock action is visible for anyone, and the access function doesn't check for the `break content lock` permission. If a user tries to do batch with that on nodes where he doesn't have permission to edit, it returns a message Permission denied. Also, the user shouldn't be able to break content lock without this permission.

Steps to Reproduce

Here's a bug where a user can break locks without the `break content lock` permission:

1. Create editor role without `break content lock` permission and access to edit nodes created by users with this role.
2. Create editor user (username editor, password editor)
3. Log in with editor user and create a node
4. In another browser log in with the super admin and open the node created by the editor user, this will create the lock.
5. Back in the browser for the editor user, go to the Locked Content view and select the node created by this user (editor user) from the bulk operation column and apply the "Break lock node" action.
6. Expected, as this role lacks the `break content lock` permission, they should not be able to break the lock under any circumstances.
7. Because the user has update access to their self created node, the `break content lock` action passes the access function and they are able to break the lock.

Proposed resolution

Update access function to check for the `break content lock` permission as well as the update access.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

✨ Feature request

Status

Needs work

Version

2.0

Component

Code

Created by

🇸🇰Slovakia kaszarobert

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Incomplete comments

Sign in to follow issues

Merge Requests

!30Limit BreakLock action usage by permission
Open
🇺🇸United States smustgrave
updated 5 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

First commit to issue fork.
Merge request !30Issue #3094860 by kaszarobert: Limit BreakLock action usage by permission → (Open) created by smustgrave
Comment 6 months ago →
🇺🇸United States smustgrave
Change makes sense to me. Not sure if the permission check should happen first though. Will leave in review.
Pipeline finished with Success
6 months ago
Total: 227s
#129118
Comment 5 months ago →
🇺🇸United States smustgrave
Rebased
Pipeline finished with Success
5 months ago
Total: 226s
#130685
Comment 5 months ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
Comment 5 months ago →
🇺🇸United States smustgrave
Hiding patches.
Comment 5 months ago →
🇺🇸United States smustgrave
Rebased
Pipeline finished with Success
5 months ago
Total: 258s
#131583
Comment 5 months ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
Given this is about access it's always great to see some automated test coverage.
Status changed to Needs work 5 months ago9:54am 2 April 2024
Comment 5 months ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
Assigned to smustgrave
Comment 5 months ago →
🇺🇸United States smustgrave
Should have some time this week to write a test

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024