Permission is not respected in modify field values action

Created on 24 August 2022, over 2 years ago

Updated 25 February 2023, almost 2 years ago

Problem/Motivation

The module provides "use views bulk edit" permission.
Permission is applied only for /admin/content/bulk-edit route.
It seems that this permission should also be respected when showing the "Modify field values" action on a view.
Currently, even the users without this permission are able to see the action.

Steps to reproduce

Enable the module and VBO module.
Create or edit any view
Add a "Views bulk operations" field (global)
Check the "Modify field values" action
Make sure to have a user without the "use views bulk edit" permission
Log in as that user
Access the view where "Modify field values" action is setup
The action should not be visible, but it is.

Proposed resolution

Add requirements annotation to the "Modify field values" action with _permission set to "use views bulk edit".

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Needs work

Version

2.6

Component

Code

Created by

🇷🇸Serbia petar_basic

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇺🇸United States joshuami Portland, OR
I can verify this patch does indeed fix the action to use the correct permission. The tests are failing because the test doesn't expect the permission in ViewsBulkEditModifyEntityValuesTest.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024