- Issue created by @andy inman
- Merge request !4Issue #3377831: Incorrect logic for 'edit-own' and 'delete-own' permissions β (Merged) created by andy inman
- Open on Drupal.org βCore: 10.0.7 + Environment: PHP 7.3 & MySQL 8last update
over 1 year ago Not currently mergeable. - last update
over 1 year ago Composer error. Unable to continue. - last update
over 1 year ago Composer error. Unable to continue. - π¬π§United Kingdom andy inman Gloucestershire, UK
I have learned: don't right-click the Open MR button hoping to check the URL - that will trigger the button action.
- last update
over 1 year ago 5 pass, 1 fail - π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
This change looks reasonable to me.
Thanks for the MR.Will merge if tests pass
- Status changed to Needs work
over 1 year ago 9:04pm 28 July 2023 - π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
Looks like there's a failing test, likely needs updating to match new logic
- last update
over 1 year ago 6 pass - π¬π§United Kingdom andy inman Gloucestershire, UK
Looks like there's a failing test, likely needs updating to match new logic
Confirmed - access tests were checking edit-own and delete-own permission based on revision uid rather than entity uid. I've changed that. I've also added a couple of tests cases to check update and delete when user has the edit/delete-own permission but is not the owner.
Before marking as RTBC, I think it's worth at least considering the possibility that somebody out there may have an access control strategy that would be broken by these changes. That seems very unlikely to me, but I suppose it's not impossible. In the worst case, people could get edit/delete access to micro-content that they're not supposed to be able to change. There's no simple solution - I'm just suggesting a pause for thought - maybe wait for a bit more import from others.
- π¬π§United Kingdom andy inman Gloucestershire, UK
Looks like there's a failing test, likely needs updating to match new logic
Confirmed - access tests were checking edit-own and delete-own permission based on revision uid rather than entity uid. I've changed that. I've also added a couple of tests cases to check update and delete when user has the edit/delete-own permission but is not the owner.
Before marking as RTBC, I think it's worth at least considering the possibility that somebody out there may have an access control strategy that would be broken by these changes. That seems very unlikely to me, but I suppose it's not impossible. In the worst case, people could get edit/delete access to micro-content that they're not supposed to be able to change. There's no simple solution - I'm just suggesting a pause for thought - maybe wait for a bit more input from others.
- π¦πΊAustralia acbramley
acbramley β changed the visibility of the branch 8.x-1.x to hidden.
- Status changed to RTBC
12 months ago 12:22am 21 December 2023 - π¦πΊAustralia sime Melbourne
Yeah the comparison to Media access checking is a good one - patch works for me.
-
acbramley β
committed ea4a16e9 on 8.x-1.x authored by
Andy Inman β
Issue #3377831 by Andy Inman, larowlan: Incorrect logic for 'edit-own'...
-
acbramley β
committed ea4a16e9 on 8.x-1.x authored by
Andy Inman β
- Status changed to Fixed
12 months ago 12:32am 21 December 2023 Automatically closed - issue fixed for 2 weeks with no activity.