Wrong _entity_access for delete_form route

Created on 18 April 2021, over 4 years ago
Updated 11 July 2025, 21 days ago

Problem/Motivation

For now, this route have the following requirements:

  requirements:
    _entity_access: 'root_parent.update'

This is nice in most cases because the Paragraph Access Handler is inline with this "access delegation" to the parent entity.
This is done in the following code:

      // Delete permission on the paragraph, should just depend on 'update'
      // access permissions on the parent.
      $operation = ($operation == 'delete') ? 'update' : $operation;

To summarize, this is working because this route and the Access Handler are doing the same delegation

But what if someone want to create its own Paragraph access Access Handler and do not want to delegate the delete access to the update operation of the parent entity?

In this case, the route requirements is wrong.

Proposed resolution

CHange the requirments into _entity_access: 'paragraph.delete'
By doing this, the Access Handler and the route requirements are always inline.

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇧🇪Belgium dunebl

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇨🇦Canada Nathan Tsai

    I am encountering this issue with the Paragraphs Permission module.

    Specifically, when I go to the node edit form with a restricted role, I can not edit it. (A locked symbol appears.)

    But when I go edit it through the contextual links provided by this modules, I can still edit it.

    This allows people to bypass permission issues.

  • Merge request !17Support Paragraph Permissions → (Open) created by Nathan Tsai
Production build 0.71.5 2024