Access checks for denying current revision revert/delete need work

Created on 28 February 2023, over 1 year ago

Updated 13 June 2023, over 1 year ago

Problem/Motivation

🐛 Should not be able to Revert the Current revision Fixed added access checks to disallow deleting or reverting the current revision.
However it seems the access checks aren't quite right.
The results are andIf()'d together. The truth table on AccessResultInterface::andIf() notes a Neutral and a Allowed combined to be a Neutral.
Additionally for AccessResult::forbiddenIf($entity->isLatestRevision()) when $entity->isLatestRevision() is false then forbiddenIf will return Neutral. When combined with any other previous allowed a final Neutral will be returned.

Proposed resolution

Update access checks, verify access is as expected.

Switch AccessResult::forbiddenIf($entity->isLatestRevision()) to $entity->isLatestRevision() ? AccessResult::forbidden() : AccessResult::allowed() - i.e. a hard allowed not a neutral.
I think the revert case will need a similar change.

Add tests?

📌 Task

Status

Active

Version

2.0

Component

Code

Created by

🇦🇺Australia fenstrat Australia

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @fenstrat
Comment over 1 year ago →
🇦🇺Australia fenstrat Australia
Forgot to mention, I came across this while making similar changes to media_revisions_ui in 📌 Drupal 10 compatibility fixes Fixed .

The tests there are what made me dig into find out what was going on. Adding tests here would probably add a lot more confidence around these changes.
Comment over 1 year ago →
🇮🇳India Deepthi kumari
Access check for Revert and delete updated

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024