Contrib.social

Rescheduling not possible without "View all scheduled transitions" permission

Open on Drupal.org β†’
Created on 29 October 2020, about 4 years ago
Updated 21 November 2024, 12 days ago

I have the "Article" content type enabled to for scheduled transitions & the user has the "View scheduled transitions for Content:Article entities" & "Reschedule scheduled transitions for Content:Article entities" permission. The "Reschedule" operation doesn't appear, unless the user has the "View all scheduled transitions".

The parent::checkAccess($entity, $operation, $account); in \Drupal\scheduled_transitions\ScheduledTransitionsAccessControlHandler::checkAccess() always seems to return a AccessResultNeutral result without the admin permission. This causes the reschedule-part never to be reached.

Is it normal that the "View all scheduled transitions" is marked as the admin persmission in the first place? Shouldn't this be the "Administer scheduled transitions" permission?

πŸ› Bug report
Status

Active

Version

2.0

Component

Code

Created by

πŸ‡§πŸ‡ͺBelgium rp7

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 12 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jastraat

    Not a final solution but I did find that updating the checkAccess function in ScheduledTransitionsAccessControlHandler.php to the following means that the node/media/etc access permissions apply + rescheduling is possible without the "view all scheduled transitions" permission and just the rescheduling permission for that type.

    protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account): AccessResultInterface {
    /** @var \Drupal\scheduled_transitions\Entity\ScheduledTransitionInterface $entity */
    $access = parent::checkAccess($entity, $operation, $account);

    if ($access->isNeutral()) {
      $for = $entity->getEntity();
      if ($for) {
        // Most entities don't have a matching permission for this; use update.
        if ($operation === ScheduledTransitionInterface::ENTITY_OPERATION_RESCHEDULE) {
          $entityOperation = 'update';
        }
        else {
          $entityOperation = $operation;
        }
        // Combine with entity access.
        $access = $for->access($entityOperation, $account, TRUE);
        $entityType = $for->getEntityTypeId();
        $bundle = $for->bundle();
        switch($operation) {
          case 'view':
            $access->andIf(
              AccessResult::allowedIfHasPermission($account, ScheduledTransitionsPermissions::viewScheduledTransitionsPermission($entityType, $bundle)),
            );
            break;

          case 'create':
            $access->andIf(
              AccessResult::allowedIfHasPermission($account, ScheduledTransitionsPermissions::addScheduledTransitionsPermission($entityType, $bundle)),
            );
            break;

          case 'delete':
          case 'update':
          case 'reschedule':
            if ($entity->isProcessed()) {
              return AccessResult::forbiddenIf($entity->isProcessed(), \sprintf('Cannot `%s` when Scheduled Transition has been processed.', $operation))->addCacheableDependency($entity);
            }
            $access->andIf(
              AccessResult::allowedIfHasPermission($account, ScheduledTransitionsPermissions::rescheduleScheduledTransitionsPermission($entityType, $bundle)),
            );
            break;
        }
        return $access;
      }
    }

    return $access;
  }

    This could definitely be improved but provides a rough approach.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024