Permission hardening for "Schedule a status change" transition dropdown

Created on 18 July 2023, over 1 year ago

Updated 5 August 2024, 3 months ago

In the "Schedule a status change" transition dropdown, users should only see transitions for which they have "Schedule X transition" permission.

Enable Lightning Workflows and Scheduler modules
Navigate to /admin/config/workflow/workflows and create a Workflow w/ states Draft, In Review, Published.
Add Workflow Transitions: Create new Draft, Send to Review, Publish
Select Basic Pages content type in "This Workflow Applies to" section
Assign Authenticated user "Basic Page: Create new content" permission.
Assign Authenticated User role "Use Create New Draft transition.". Other transition permissions should remain unchecked for the Authenticated user.
Assign Authenticated user "Schedule Send to review transition.". Other permissions for "Schedule X transition" should remain unchecked for Authenticated user.
As an Authenticated user , create a new Basic page.
At the bottom of the Add/Edit form, click on "Schedule a status change".

RESULT: User sees "Change to" dropdown w/ values "Draft", "In review", "Published".

EXPECTED: according to set permissions user should be able to see only "In review" transition in the "Change to" dropdown.

Patch attached

None

None

None

🐛 Bug report

Status

Closed: outdated

Version

1.0

Component

Code

Created by

🇺🇸United States oksana-c

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @oksana-c
Comment over 1 year ago →
🇮🇳India heykarthikwithu Bengaluru 🌍
Comment over 1 year ago →
🇮🇳India heykarthikwithu Bengaluru 🌍
Status changed to Closed: outdated 3 months ago2:14pm 5 August 2024
Comment 3 months ago →
🇸🇰Slovakia kaszarobert
As I see the same exact code was already merged into the module's src/Plugin/Field/FieldWidget/ModerationStateWidget.php

Production build 0.71.5 2024