Contrib.social

Node revisions: permissions and access check

Open on Drupal.org →
Created on 6 May 2020, over 4 years ago
Updated 5 May 2024, 7 months ago

Problem/Motivation

gnode provides the ability to set permissions by node type, e.g. view group_node:foo entity. Drupal core also provides the ability to set permissions by node type, e.g. Foo: View revisions.

At the moment, if both permissions are assigned to a particular role, users with that role are able to access other Group's node revisions.

It would be great to check node revision access in the gnode module to ensure that users are only able to access node revisions within their Groups.

Proposed resolution

Decorate the access_check.node.revision access service in a custom GroupNodeRevisionAccessCheck access check service containing logic to check for Group access.

Remaining tasks

  • Assess request and proposed solution

User interface changes

TBC

API changes

TBC

Data model changes

TBC

Feature request
Status

Needs work

Version

1.0

Component

Code

Created by

🇦🇺Australia jorgegc

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 9 months ago
    🇯🇵Japan ultrabob Japan

    I installed the latest patch, and went in and turned on view all revisions in global permissions and the view revision permission under the group type permissions. I have tracked down where I get access forbidden down to Drupal\group\Plugin\GroupContentAccessControlHandler::entityAccess where the system is looking for a permission called "view all group_node:topic revision" against the list of permissions for the group in Drupal\group\Access\GroupPermissionChecker::hasPermissionInGroup. None of the permissions for the group had anything to do with revisions.

  • Comment 9 months ago
    🇯🇵Japan ultrabob Japan

    Actually, it sounds like my problem is different. I'm trying to figure out why I can't access revisions, and this ticket is trying to restrict access to revisions further. Please disregard.

  • Comment 7 months ago
    🇩🇪Germany kle

    Patch #4 cannot work: in GroupContentPermissionProvider::getPermission() a "case 'view all revisions'" is still missing.
    I Added this in patch #5.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024