Contrib.social

field_inheritance_form_alter should enforce module permissions

Open on Drupal.org β†’
Created on 30 December 2022, over 1 year ago
Updated 26 January 2023, over 1 year ago

Problem/Motivation

Users that do not have the "administer field inheritance" permission see the "Enable inheritance for this entity?" option when editing an entity/bundle that is allowed to have field inheritance, allowing any user with edit permission to configure field inheritance. That option should be limited to users whose roles have the "administer field inheritance" permission.

Steps to reproduce

  1. Enable the field inheritance module and configure an entity/bundle to allow field inheritance (we noticed the issue using Recurring Events).
  2. Add a role that does NOT include the "administer field inheritance" permission, but does have permission to create or edit the entity/bundle configured above, and log in as a user with only that role.
  3. Navigate to, and edit, an entity/bundle that has allow field inheritance enabled
  4. Note the presence of the Field Inheritance fieldset with the "Enable inheritance for this entity?" option.

Proposed resolution

Check for the permission in field_inheritance_form_alter and return without altering the form if the user doesn't have the permission.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States greggmarshall Aurora/Denver, Colorado

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024