Browser form does not respect entity access

Created on 13 July 2023, over 1 year ago

Problem/Motivation

ParagraphsBrowserForm does not check access correctly. Users will still be presented types that they are forbidden to create.

Steps to reproduce

Set up Paragraphs browser for a paragraphs field. Implement a custom entity create access hook for Paragraphs that will deny creation access to a bundle that is allowed to be added to the field, such as:

function hook_paragraph_create_access(\Drupal\Core\Session\AccountInterface $account, array $context, string $entity_bundle) {
  return $entity_bundle === 'mybundle'
    ? \Drupal\Core\Access\AccessResult::forbidden()
    : \Drupal\Core\Access\AccessResult::neutral();
}

Then use the paragraphs browser widget. On the modal form, you will still see 'mybundle' as an option to add. You will get an error if you try to actually click it to add the forbidden type - so access is still denied, it's just not good UX.

Proposed resolution

Instead of a conditional that hardcodes checking certain permissions that are specifically from the paragraphs_type_permissions submodule of Paragraphs, the standard Drupal entity access handler should be used.

Remaining tasks

MR & review.

User interface changes

Users will no longer be able to see.

API changes

Data model changes

🐛 Bug report

Status

Needs review

Version

1.0

Component

Code

Created by

🇺🇸United States bvoynick

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @bvoynick
@bvoynick opened merge request.
Status changed to Needs review over 1 year ago3:10am 13 July 2023
Comment over 1 year ago →
🇺🇸United States bvoynick
Opened MR 6 with proposed resolution.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024