Contrib.social

Allowed Languages does not respect content access permissions and grants access where one should not be granted

Open on Drupal.org β†’
Created on 8 March 2023, almost 2 years ago
Updated 19 April 2023, almost 2 years ago

Problem/Motivation

If a user does not have permission to edit or delete content they will still get access to delete the content if they have access to the language of the content.

This module should not be returning allowed access but only restrict access as its purpose is and in all other cases simply return a neutral answer so that the edit and delete access is determined by the corresponding permissions that are provided by the provider of the target entity.

Steps to reproduce

1. Create a user role with the following permissions used to review content only:

- 'access content overview'
- 'access toolbar'
- 'access user profiles'
- 'change own username'
- 'use workflow transition review_to_draft'
- 'use workflow transition review_to_publish'
- 'view any unpublished content'
- 'view page revisions'
- 'view latest version'
- 'view the administration theme'

2. Give only this new role to a user.
3. Allow access to all languages on the user profile of that user.
4. Log in with a user and navigate to admin/content
5. Observe that this user has access to the delete operation and even can execute it.

Proposed resolution

Only restrict access but do not grant access. Leave the access granting to the corresponding modules.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Closed: duplicate

Version

2.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany hchonov πŸ‡ͺπŸ‡ΊπŸ‡©πŸ‡ͺπŸ‡§πŸ‡¬

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024