Multiple different access levels can cause permissions (terms) to be removed when updating content.

Created on 8 October 2021, over 3 years ago

Updated 2 February 2024, about 1 year ago

Problem/Motivation

We noticed during testing that some times when content authors update content, terms they don't have access to (But already existing on the entity) will be removed from the entity when they saved.

Steps to reproduce

Setup two terms, GroupA and GroupB
Setup two users, UserA and UserB
Assign GroupA to UserA and GroupB to UserB
Create a new node. Assign GroupA and GroupB to that node.
Login as UserA and update the page you just created.
Once it's saved, GroupB will now longer be assigned to the node

Proposed resolution

The root of the issue seems to be that the permissions_by_term_options_list_alter function is removing terms from the list that the user doesn't have access to. So when the content item is saved, the terms are lost. My proposed resolution is that in the existing validation function, we can compare the new terms to the ones currently associated to the entity. Then take any terms already associated to the entity that we don't have access to, and re-add them. That way nothing is lost on save and they can still remove terms they do have access to. That's what the attached patch does.

🐛 Bug report

Status

Needs review

Version

2.34

Component

Code

Created by

🇺🇸United States jacobbell84

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 year ago →
🇺🇸United States jacobbell84
Re-rolling for latest version

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024