Contrib.social

`ValidReferenceConstraintValidator` should use the entity's owner, if applicable, in testing access to reference target

Open on Drupal.org β†’
Created on 28 November 2022, over 2 years ago
Updated 6 February 2023, about 2 years ago

Problem/Motivation

#2791269: Allow saving pre-existing references to inaccessible items β†’ added logic to test whether the current user has access to a reference target, when compiling a list of entities that should be validated as allowed targets. I recently had a kernel test get into some weird recursive/hard to debug conditions where I assumed that saving an entity would not have a contextual dependency on the current user. I think the access check should be EntityOwnerInterface aware, and if the entity doesn't implement this, fall back to the current behavior.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

This would be a change in behavior so thus a breaking change of sorts? Would like maintainer feedback on whether this is even possible or is too obscure a behavior change. I think a change record could be/should be sufficient?

Data model changes

Release notes snippet

πŸ› Bug report
Status

Needs review

Version

10.1 ✨

Component
FieldΒ  β†’

Last updated about 9 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States bradjones1 Digital Nomad Life

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom jonathanshaw Stroud, UK

    I think the proposed change basically subverts the purpose of ValidReferenceConstraint. It's intended to check whether the current user can access an entity.

    This makes no sense outside of form submission, but that's the fault of how we are using it, not of the constraint itself.

    Validating that an entity can be accessed by its own owner is not an obvious need to me, and not something I'd particularly expect an entity reference field to do at any time.

    I'm sympathetic to the problem - see πŸ“Œ Always enforce basefield and entity-level constraints Active for context - but I think it needs to be seen in the bigger picture that our validation system has allowed quite a few bits to develop that only work for form submissions and don't make sense for entities in themselves.

    I suggest: works as designed.

  • Status changed to Needs work about 2 years ago
  • Comment about 2 years ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Seems there is still discussion to be had. But if carried forward issue summary will need to be updated with proposed solution.

  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    This came up as a daily bugsmash target triage.

    Still seems to need discussion on approach and IS update.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024