Contrib.social

Field permissions access override

Open on Drupal.org →
Created on 29 May 2020, over 4 years ago
Updated 11 February 2024, 9 months ago

Problem/Motivation

Translating an entity using IEF allow users to bypass field access set by other modules (like field_permissions).

Access override is in Drupal\inline_entity_form\Form\EntityInlineForm.php:

    if (!empty($entity_form['#translating'])) {
      // Hide the non-translatable fields.
      foreach ($entity->getFieldDefinitions() as $field_name => $definition) {
        if (isset($entity_form[$field_name]) && $field_name != $langcode_key) {
          $entity_form[$field_name]['#access'] = $definition->isTranslatable();
        }
      }
    }

Steps to reproduce:

  1. Install drupal
  2. Enable all core multilingual modules (config_translation/config_translation/locale/language)
  3. Add a new language
  4. Create a new role (let's say redactor), and a new user (let's say John) having only the redactor role
  5. Install and enable inline_entity_form (1.0.0-rc6), field_permissions (1.0.0-rc2) and paragraphs (1.12.0)
  6. Create a new paragraph type
  7. Add two textfields to this paragraph type:
    • Field 1: set 'Field visibility and permissions' to custom permissions, and keep the default values
    • Field 2: keep all the default values
  8. Add a field to article node type referencing multiple paragraphs of the above paragraph type
  9. Under the form display tab, use the IEF - Complex for this paragraph field
  10. Make article & paragraph type translatable (and make sure all of the fields are translatable)
  11. Give the redactor role the following permissions:
    • create translations
    • create/update/translate article node type
    • see the administration theme
    • Use the toolbar
    • Access the Content overview page
    • View published content
  12. Log in as John, create and publish an article having a paragraph. You should only see field 2
  13. Translate it into another language, and edit the paragraph. You can now see both fields, even if you don't have permissions to edit field 1

Proposed resolution

The attached patch fixes the bypass.

🐛 Bug report
Status

Fixed

Version

3.0

Component

Code

Created by

🇫🇷France kbriand

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024