Contrib.social

Accountform is missing an entity field access check for 'mail'

Open on Drupal.org →
Created on 9 January 2023, about 2 years ago
Updated 14 February 2023, almost 2 years ago

Problem/Motivation

\Drupal\user\AccountForm programmatically checks entity field access for several User base field definitions. However, the 'mail' field has no such access check

Steps to reproduce

Implement a hook_entity_field_access() and forbid the mail field:

  if ($items && $items->getEntity()->getEntityTypeId() === 'user' && $field_definition->getName() === 'mail' && $operation == 'edit') {
    return AccessResult::forbidden();
  }

Proposed resolution

Add an access check for the Accountform 'mail' field.

Remaining tasks

  1. Write a patch
  2. Review
  3. Commit

User interface changes

None.

API changes

None.

Data model changes

None.

Release note

The user account form now applies entity field access to the 'Email address' field in line with other user account form fields. As a result, it is now possible to forbid accessing the 'Email address' field using hook_entity_field_access().

📌 Task
Status

Fixed

Version

10.1

Component
User module 

Last updated 7 days ago

Created by

🇳🇱Netherlands idebr

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    🇺🇸United States xjm

    Thanks for working on this and for providing test coverage. The fix looks correct to me.

    Based on #10, I think this needs a change record and a release note. (We typically provide release notes when we fix access control rules in a way that might require contrib or custom code, or site owners, to change access configuration.)

    Savin credit for @idebr for the patch and for @Lendude for review.

    Thanks!

  • Status changed to Needs review almost 2 years ago
  • Comment almost 2 years ago
    🇳🇱Netherlands idebr

    Added a change record: https://www.drupal.org/node/3336695

    Added a release note to the issue summary:

    The user account form now applies entity field access to the 'Email address' field in line with other user account form fields. As a result, it is now possible to forbid accessing the 'Email address' field using hook_entity_field_access().

  • Status changed to RTBC almost 2 years ago
  • Comment almost 2 years ago
    🇺🇸United States smustgrave

    Change record and release notes have been added. Since this was previously RTBC and there has been no code change adding back.

  • Comment almost 2 years ago
    System Message
    • lauriii committed c490d4ca on 10.1.x 
      Issue #3331947 by idebr, Lendude, xjm: Accountform is missing an entity...
  • Status changed to Fixed almost 2 years ago
  • Comment almost 2 years ago
    🇫🇮Finland lauriii Finland

    Committed c490d4c and pushed to 10.1.x. Thanks!

    Not backporting to 10.0.x or 9.5.x because of the potential disruption to custom code that is not taking into account that access is being checked for the mail field, but still want the mail field to be editable.

  • Comment almost 2 years ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024