- šŗšøUnited States j.cowher
Re-rolled the patch from #4 to apply to version 3.1.33.
- Status changed to Needs review
over 1 year ago 6:06pm 19 April 2024 - šØš¦Canada pavlosdan
We got bit by this very recently! Thanks for the patch!
- šµš±Poland sergey.semchuk
My Use Case:
On my multilingual site, I have:
Two languages: English (en) and Czech (cz).
Permissions taxonomy terms where the original entity language is 'en', and they have 'cz' translations.
A node (of a certain content type) that has only the Czech (cz) translation.
When checking access using the AccessCheck::canUserAccessByNode() method from the permissions_by_term module, this condition:
if ($termInfo instanceof Term && $termInfo->get('langcode')->getLangcode() == $langcode)
returns FALSE.
Reasons
- $termInfo is loaded using Term::load($term->tid);, so it's always the original entity, which in this case has language 'en'.
- $langcode is 'cz', because it's taken from the node translation being viewed.
- Therefore, the condition fails, and the access logic is skipped entirely ā as if no permission term exists for that language.
As a result, access to the node is incorrectly granted to all users, even though it is restricted by the attached permission term.
The patch Iām attaching changes the logic so that the correct translation of the taxonomy term (matching the current $langcode) is used when performing access checks. This ensures proper comparison and access control.
The patch was created for Permissions by Term 3.1.26.