Contrib.social

Access Denied For Role Changes

Open on Drupal.org →
Created on 14 July 2023, over 1 year ago

Problem/Motivation

This model waits for the user to update their account, and if a specific field value is changed on their profile the admin and user are notified via email, and the user's role is changed on the site.

When executing the attached model all actions are executed, however, the role change action is denied. Upon log review it appears that it fails to pass access credentials as the action is being performed by the user and not the admin (for role change). The log is also stating that user: anonymous is performing the profile update.

Steps to reproduce

Set a target field on user profile to be observed in the model, save an initial value to that field, and then alter that field value.

🐛 Bug report
Status

Active

Version

1.1

Component

Code

Created by

b.lu

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇩🇪Germany jurgenhaas Gottmadingen

    Have you tried the action to switch user context in your model? If you e.g. switch to user 1 right before the assign role action, all should be fine.

  • Comment over 1 year ago
    b.lu

    That fixed it! Thank you, Jurgen!

  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago
    🇩🇪Germany jurgenhaas Gottmadingen
  • Comment over 1 year ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed 2 months ago
  • Comment 2 months ago
    🇫🇷France alex.amtr

    Hi @jurgenhaas,
    The solution, you propose seems to me very dangerous.
    If you give administrator role to the current user and there is a problem to restore the initial role, the current user become an administrator.
    Am I right ?

  • Comment 2 months ago
    🇩🇪Germany jurgenhaas Gottmadingen

    I'm not proposing to give the current user the admin role.

    What I'm proposing is to switch the user context inside the ECA model to allow the model to execute actions with more permissions than the current user. You can read more about that concept at https://ecaguide.org/eca/concepts/permissions/

    Note, if you write custom code instead, that code can always be executed without any limitations. The fact that ECA limits permissions by default is already a major improvement.

    Note 2: This issue was closed 1,5 years ago. It's not a good idea to continue discussions in closed issues. If you have a follow-up question it's recommended to open a new issue and link back to an older one, if that's helpful to provide contextual information.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024