Roles with "View all scheduled transitions" permission can delete any transition

Created on 19 October 2022, over 2 years ago

Updated 15 June 2023, almost 2 years ago

Problem/Motivation

Roles with "View all scheduled transitions" can delete any scheduled transition even for bundles that they don't have permission to edit or delete which can lead to undesired issues.

Steps to reproduce

Create 2+ roles
Create or enable 2+ different content types then go to People → Permissions and assign View, Edit and Delete permissions for each content type to specific role.
On the same page, go to the Scheduled transitions section and assign Add, Reschedule and View scheduled transitions for each role to the relevant content type. Don't forget to assign "View all scheduled transitions" to both roles.
Login with one of the new roles and create new content form the assigned content type, then log out.
Login with the second role and create new content form the assigned content type.
Go to the "Scheduled Transitions" tab under /admin/content/scheduled-transitions. You'll notice a "Delete" button next to the schedule transition created by the other role.

Proposed resolution

Roles should NOT be able to delete scheduled transitions created by different roles.

System Info

Drupal version: 9.4.7
PHP version: 8.0.2

🐛 Bug report

Status

Active

Version

2.3

Component

Code

Created by

🇺🇸United States alfattal Minnesota

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇺🇸United States alfattal Minnesota
@dpi Revoking this permission would result in NOT being able to Reschedule a transition although the permission for that is already set. That's another anomaly or even a bug that need to be addressed.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024