Prevent users who can't add micronode content from accessing /node/add-microcontent

Open on Drupal.org →

Created on 8 August 2023, over 1 year ago

Updated 22 August 2023, over 1 year ago

Problem/Motivation

The /node/add-microcontent route relies on the '_entity_create_any_access' => 'node' access check. As a result, users who have permission to create one or more regular node types, but no micronode types, are able to access the /node/add-microcontent route.

Once there, they are encouraged to create a new content type — something my test user is not authorized to do (which seems like a bug in Drupal\Core\EntityEntityCreateAnyAccessCheck?).

You have not created any content types yet. Go to the content type creation page to add a new content type.

Steps to reproduce

Create a user with the ability to add at least one regular node type.
Ensure that user does not have permission to create any micronode types.
Visit /node/add-microcontent.

Proposed resolution

Extend AccessInterface to implement MicronodeCreateAnyAccessCheck.
Update MicronodeRouteSubscriber to use new access check.

🐛 Bug report

Status

Fixed

Version

1.0

Component

Code

Created by

🇺🇸United States justcaldwell Austin, Texas

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @justcaldwell
Comment over 1 year ago →
🇺🇸United States justcaldwell Austin, Texas
Comment over 1 year ago →
🇺🇸United States justcaldwell Austin, Texas
Maybe don't extend AccessInterface because 📌 Deprecate empty AccessInterface and remove usages Needs work ?? Haven't had time to digest that thread yet. Ugh.
Open in Jenkins → Open on Drupal.org →
Core: 10.1.x + Environment: PHP 8.2 & MySQL 8
last update over 1 year ago
4 pass
@justcaldwell opened merge request.
Status changed to Needs review over 1 year ago9:00pm 8 August 2023
Comment over 1 year ago →
🇺🇸United States justcaldwell Austin, Texas
Test still needed, but the MR I just opened seems to be working well enough, and it would be good to get feedback.

I went ahead and extended AccessInterface (though it's empty) as that's consistent with current documentation → , and it's not clear—to me anyway—what the final resolution of 📌 Deprecate empty AccessInterface and remove usages Needs work will be.
Comment over 1 year ago →
🇺🇸United States justcaldwell Austin, Texas
Comment over 1 year ago →
🇺🇸United States justcaldwell Austin, Texas
Comment over 1 year ago →
🇺🇸United States justcaldwell Austin, Texas
First commit to issue fork.
Open in Jenkins → Open on Drupal.org →
Core: 10.1.x + Environment: PHP 8.2 & MySQL 8
last update over 1 year ago
4 pass
Comment over 1 year ago →
System Message

marcoscano → committed e951c646 on 1.0.x authored by justcaldwell →
Issue #3380025 by justcaldwell, marcoscano: Prevent users who can't add...
Status changed to Fixed over 1 year ago12:59pm 22 August 2023
Comment over 1 year ago →
🇪🇸Spain marcoscano Barcelona, Spain
Makes sense to me. Thanks for contributing!
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024