Contrib.social

"Edit the co-authors of co-authored content" permission is not respected

Open on Drupal.org →
Created on 8 September 2023, about 1 year ago

Problem/Motivation

An added co-author can change co-authors without errors even if his role has not the permission to "Edit the co-authors of co-authored content".

Steps to reproduce

Installed with composer and drush on a fresh Drupal 10.1.2 site, created an article as user1, created user2 and user3 as content editors (without setting any new permission), added user 2 as co-author, logged as user2checked that he is able to remove himself and add user3, retried after adding and removing the permission to content editors but nothing changed.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

1.1

Component

Code

Created by

🇮🇹Italy kopeboy Milan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @kopeboy
  • Comment about 1 year ago
    🇧🇪Belgium dieterholvoet Brussels

    Access is configured like this:

    1. If the administer nodes or edit co-authors of all content permission is granted, edit access is always allowed
    2. If the edit co-authors of own content permission is granted and you author the node, edit access is granted
    3. If the edit co-authors of co-authored content permission is granted and you co-author the node, edit access is granted

    Maybe the consideration of the administer nodes permission feels unexpected to you? I did it because the description of that permission (Promote, change ownership, edit revisions, and perform other tasks across all content types) seemed to fit changing co-authors. Let me know if you feel like this does not make sense.

  • Status changed to Closed: works as designed about 1 year ago
  • Comment about 1 year ago
    🇧🇪Belgium dieterholvoet Brussels
  • Status changed to Active about 1 month ago
  • Comment about 1 month ago
    🇮🇹Italy kopeboy Milan

    Sorry for the late reply.. but had you actually tested what you said?

    I just retried with a fresh install (this time v1.1.1 with Drupal 10.3.6) and I confirm the issue title: "Edit the co-authors of co-authored content" permission is (still) not respected.

    Detailed steps to reproduce:

    1. Allow editing co-authors only to Editors & Admin:
    2. For completeness, these are the node edit permissions (Auth user can also create articles):
    3. Now log in as an Authenticated user and this is the /node/add:

    He shouldn't, but he can edit the co-authors.
    So your point 2 above is false:

    If the edit co-authors of own content permission is granted and you author the node, edit access is granted

    that permission wasn't granted!

  • Comment about 1 month ago
    🇮🇹Italy kopeboy Milan
  • Comment about 1 month ago
    🇮🇹Italy kopeboy Milan
  • Comment about 1 month ago
    🇧🇪Belgium dieterholvoet Brussels

    You're right, seems like since any field access is allowed by default, node_co_authors_entity_field_access() should explicitly return forbidden instead of neutral as access result if access is not allowed.

  • Merge request !12Fix field access check → (Merged) created by dieterholvoet
  • Comment about 1 month ago
    🇧🇪Belgium dieterholvoet Brussels
  • Comment about 1 month ago
    🇧🇪Belgium dieterholvoet Brussels
  • Pipeline finished with Skipped
    3 days ago
    #344742
  • Comment 3 days ago
    System Message
  • Comment 3 days ago
    🇧🇪Belgium dieterholvoet Brussels
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024