Contrib.social

The module attempts to obey content_translation_translate_access() but it does not

Open on Drupal.org →
Created on 24 February 2023, almost 2 years ago

Problem/Motivation

In \Drupal\inline_translation\EntityOperations::isSupported() we do:

    // 4. Check access.
    if (!content_translation_translate_access($entity)) {
      return FALSE;
    }

content_translation_translate_access($entity) will never evaluate to false because it returns an object.

Proposed resolution

Change it to

    // 4. Check access.
    if (!content_translation_translate_access($entity)->isAllowed()) {
      return FALSE;
    }

and add a test.

Fortunately we're at alpha so not this does not require a security release.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Needs review

Version

1.0

Component

Code

Created by

🇬🇧United Kingdom alexpott 🇪🇺🌍

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @alexpott
  • Status changed to Needs review almost 2 years ago
  • Comment almost 2 years ago
    🇬🇧United Kingdom alexpott 🇪🇺🌍
  • Comment almost 2 years ago
    🇬🇧United Kingdom alexpott 🇪🇺🌍

    I'm also wondering if this is a feature :) Like allows a user to translate an entity if they have edit access but doesn't give them access to the rest of the translation UI. Maybe we need a new permission that is allows people to use the inline translation stuff even without the normal content translation permissions. This opens a can of worms around naming though....

    "Use inline translation form even when you don't have the usual translation permissions" is a horrible permission name :D

  • Comment almost 2 years ago
    🇬🇧United Kingdom alexpott 🇪🇺🌍

    The alternative is to completely remove the check and add documentation that because this makes translation inline we don't check the regular content translation permissions and only access to the edit form is needed.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024