Entity operations links don't respect permissions

Created on 22 December 2022, over 1 year ago

Updated 3 February 2023, over 1 year ago

Problem/Motivation

Recurring Events provides permissions for cloning/editing events. When viewing a given series or instance, tabs are shown depending on the associated permission; that's working. However, if you navigate to the Event Series or Event Instances listing pages, the Operations pull down button shows some operations regardless of the permission.

Steps to reproduce

Install and enable the module.
Add a couple of event series (and thus event instances).
Create a role that has access to view the event series and instance overview pages, but does NOT have any create/update/delete/clone permissions for events.
Add a user with that role and log in as that user.
Navigate to the Event Series listing page (/admin/events/series). Observe that the "Clone" and "Add instance" operations are incorrectly shown.
Navigate to the Event Instances listing page (/admin/events/instances). Observe that the "Clone" and "Edit" operations are incorrectly shown.

Proposed resolution

Add permission checks to recurring_events_entity_operation() in recurring_events.module.
Use the 'update' operation instead of the 'edit' operation for checks in EventSeriesAccessControlHandler::checkAccess and EventInstanceAccessControlHandler::checkAccess.

🐛 Bug report

Status

Fixed

Version

2.0

Component

Recurring Events (Main module)

Created by

🇺🇸United States greggmarshall Aurora/Denver, Colorado

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024