Inconsistent access check of the update/delete access on content translations results in 403

Created on 5 January 2022, over 3 years ago

Updated 14 June 2023, almost 2 years ago

Problem/Motivation

The \Drupal\content_translation\Controller\ContentTranslationController::overview() method checks update/delete access on an untranslated entity, while the \Drupal\content_translation\Access\ContentTranslationManageAccessCheck::access() checks access on a specific translation. Once an entity access check depends on a value of a translatable field or on the active language of the translation, users may end up seeing access denied, because access to the translation form is denied for users who are able to use the edit form.

Steps to reproduce

Install Drupal using Standard profile.
Install 2.x version of Allowed Languages module.
Enable multiple languages, e.g. English & French.
Grant the following permissions to the Content Editor role:
- Article: Delete any content
- Article: Edit any content
- Delete translations
- Edit translations
- Translate Article content item.
Create an Article node in English as admin.
Translate it into French as admin.
Create user A of Content Editor role with French as the only allowed language.
Log in as user A and visit the list of the node's translation.
The edit link next to the French translation follows to the translation form, which shows 403 Access Denied to this user. Same is for the deletion link.
However, you're still able to view the translation and then edit it through the local task.

The Allowed Languages module just implements a language-dependent access check that triggers the bug, the same could be achieved with a custom module. It also provides a route access check, but even with the allowed_languages.content_translation_access_check service removed, the issue is still reproducible.

Proposed resolution

Perform the access check on an entity translation in the content translation overview.

Remaining tasks

Submit MR.
Write release notes snippet.

User interface changes

No.

API changes

No.

Data model changes

No.

Release notes snippet

TODO

🐛 Bug report

Status

Needs work

Version

9.5

Component

Content translation →

Last updated 3 days ago

No maintainer

Created by

🇵🇹Portugal dmitriy.trt

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇭🇺Hungary balagan
I confirm that applying the patch in #4 solves the problem. Edit/Delete operation buttons only display for eligible translations.
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update over 1 year ago
29,723 pass

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024