Contrib.social

Mixed original language in content and taxonomy terms does not check access permissions correctly

Open on Drupal.org ā†’
Created on 12 October 2020, almost 5 years ago
Updated 19 April 2024, over 1 year ago

Problem/Motivation

We have a multilingual site with English being the default language. We have both content types and taxonomy terms translated. When creating content users can select the language used to create the content. Basically they are selecting between English and Finnish.

Permissions by Terms works fine when they create English content and term permissions are set to the English terms.

But there seems to be a mix up in languages when user creates a content in Finnish and attaches a term to it because the term default language is English.

When the method canUserAccessByNodeId() is called its getting the current language and the term default language and comparing those together:

if ($termInfo instanceof Term && $termInfo->get('langcode')->getLangcode() == $langcode) {

At least in our setup in the edit page, the current interface language returns fi but the term default language is usually returning en. This prevents the module from going to the code block which is checking for term permissions and always gives access denied to the user.

Proposed resolution

Ideally we could check if there is a translation for the term in the current language and use that in code. If the translation is not found we could fallback to the default language and see if there are matching permissions for that. But this is problematic if there is a situation where the taxonomy term translations would have different permissions attached.

šŸ› Bug report
Status

Needs work

Version

3.1

Component

Code

Created by

šŸ‡«šŸ‡®Finland heikkiy Oulu

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago ā†’
    šŸ‡ŗšŸ‡øUnited States j.cowher

    Re-rolled the patch from #4 to apply to version 3.1.33.

  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago ā†’
    šŸ‡ŗšŸ‡øUnited States j.cowher
  • Comment 3 months ago ā†’
    šŸ‡ØšŸ‡¦Canada pavlosdan

    We got bit by this very recently! Thanks for the patch!

  • Comment 3 months ago ā†’
    šŸ‡ØšŸ‡¦Canada pavlosdan

    This will probably need tests before going in.

  • Comment 3 months ago ā†’
    šŸ‡µšŸ‡±Poland sergey.semchuk

    My Use Case:

    On my multilingual site, I have:

    Two languages: English (en) and Czech (cz).

    Permissions taxonomy terms where the original entity language is 'en', and they have 'cz' translations.

    A node (of a certain content type) that has only the Czech (cz) translation.

    When checking access using the AccessCheck::canUserAccessByNode() method from the permissions_by_term module, this condition:

    if ($termInfo instanceof Term && $termInfo->get('langcode')->getLangcode() == $langcode)

    returns FALSE.

    Reasons

    • $termInfo is loaded using Term::load($term->tid);, so it's always the original entity, which in this case has language 'en'.
    • $langcode is 'cz', because it's taken from the node translation being viewed.
    • Therefore, the condition fails, and the access logic is skipped entirely ā€” as if no permission term exists for that language.

    As a result, access to the node is incorrectly granted to all users, even though it is restricted by the attached permission term.

    The patch Iā€™m attaching changes the logic so that the correct translation of the taxonomy term (matching the current $langcode) is used when performing access checks. This ensures proper comparison and access control.
    The patch was created for Permissions by Term 3.1.26.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024