Contrib.social

The module attempts to obey content_translation_translate_access() but it does not

Open on Drupal.org β†’
Created on 24 February 2023, over 2 years ago

Problem/Motivation

In \Drupal\inline_translation\EntityOperations::isSupported() we do:

    // 4. Check access.
    if (!content_translation_translate_access($entity)) {
      return FALSE;
    }

content_translation_translate_access($entity) will never evaluate to false because it returns an object.

Proposed resolution

Change it to

    // 4. Check access.
    if (!content_translation_translate_access($entity)->isAllowed()) {
      return FALSE;
    }

and add a test.

Fortunately we're at alpha so not this does not require a security release.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the β€œReport a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @alexpott
  • Status changed to Needs review over 2 years ago
  • Comment over 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ
  • Comment over 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    I'm also wondering if this is a feature :) Like allows a user to translate an entity if they have edit access but doesn't give them access to the rest of the translation UI. Maybe we need a new permission that is allows people to use the inline translation stuff even without the normal content translation permissions. This opens a can of worms around naming though....

    "Use inline translation form even when you don't have the usual translation permissions" is a horrible permission name :D

  • Comment over 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    The alternative is to completely remove the check and add documentation that because this makes translation inline we don't check the regular content translation permissions and only access to the edit form is needed.

  • Comment 6 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    We need to address this prior to any stable release so raising this to critical.

  • Merge request !12Resolve #3344129 "The module attempts" β†’ (Merged) created by alexpott
  • Comment 5 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    I think this is the best approach - a user can remove the permission from any roles they don't want after update and the permission does not affect whether user get's access to edit an entity so nothing is changed for existing sites.

  • Pipeline finished with Skipped
    5 days ago
    #526389
  • Comment 5 days ago β†’
    System Message
  • Comment 5 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024