update report data permission not working

Created on 20 September 2023, over 1 year ago
Updated 20 September 2024, 3 months ago

Problem/Motivation

Users with the 'update report data' permission still can't see the update report data button if they are not user 1.

The code for deciding to show the button or not is currently, if($uid == 1 || in_array('update report data', $userRoles)) {...}, which means it is looking at the user's roles, not the permissions of the user.

Proposed resolution

Change the code to look for if the current user has the correct permission rather than looking for the permission name in the user's roles list.

πŸ› Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom belazoth

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @belazoth
  • Status changed to Needs review over 1 year ago
  • πŸ‡¬πŸ‡§United Kingdom belazoth

    I have made a merge request with the change that will hopefully fix this issue. This is also a patch with the same changes for those who might want to use the fix before it gets merged.

  • πŸ‡¬πŸ‡§United Kingdom belazoth

    I have updated the patch and merge request as I noticed that even if you had the permission 'update report data' you could not update the report data as it was looking for a different permission.

  • Status changed to Needs work about 1 year ago
  • πŸ‡¬πŸ‡§United Kingdom welly

    Looks pretty good to me. I would say it'd probably be preferable to inject β†’ the AccountProxy service rather than using Drupal::currentUser but can see the module was previously using that method to get the user. The class is well set up for dependency injection so I think it might be worth doing that.

    That's the only thing I would suggest, otherwise looks good.

    I'll put this in "Needs work" for now - if you feel like using dependency injection for the current user/accountproxy service then please do otherwise perhaps someone else can take a look and move it to RTBC?

  • Status changed to Needs review about 1 year ago
  • πŸ‡¬πŸ‡§United Kingdom belazoth

    Thanks for the suggestion Welly. I have updated the patch and the merge request, let me know if everything you have any other suggestions.

  • πŸ‡¦πŸ‡ΊAustralia thomwilhelm Sydney

    I ran into this same issue and had tracked it down to the same place, as the "Update Report Data" button wasn't displaying for me at all even as an administrator.

    One nitpick in the patch from #6:

    // Only show this button to users w/proper access or super user.
    $uid = $this->user->id();
    if ($uid == 1 || $this->user->hasPermission('update report data')) {
      $btn['run_button'] = [
        '#type' => 'markup',
        '#markup' => $this->t('<div style="float:right"><a class="button" href="/admin/reports/paragraphs-report/update" onclick="return confirm(\'Update the report data with current node info?\')">Update Report Data</a></div>'),
      ];
    }

    The hasPermission method in docroot/core/lib/Drupal/Core/Session/PermissionChecker.php already does a check to see if $uid == 1, besides, Drupal is moving away from using $uid == 1 logic as it's not very flexible:

    https://www.drupal.org/project/coder/issues/2975233 ✨ Add a sniff for checking against hard-coding uid=1 permissions Active
    https://www.drupal.org/project/drupal/issues/540008 πŸ“Œ Add a container parameter that can remove the special behavior of UID#1 Fixed

    With this in mind, I believe we can simplify the check to just be:

    // Only show this button to users w/proper access.
    if ($this->user->hasPermission('update report data')) {
      $btn['run_button'] = [
        '#type' => 'markup',
        '#markup' => $this->t('<div style="float:right"><a class="button" href="/admin/reports/paragraphs-report/update" onclick="return confirm(\'Update the report data with current node info?\')">Update Report Data</a></div>'),
      ];
    }
    
  • First commit to issue fork.
  • Status changed to RTBC 4 months ago
  • πŸ‡ΊπŸ‡ΈUnited States generalredneck

    Implemented thomwilhelm's feedback into the MR. User 1 and role permissions are working as expected. Going to call this one good to go.

  • Pipeline finished with Skipped
    4 months ago
    #276005
  • Status changed to Fixed 4 months ago
  • πŸ‡ΊπŸ‡ΈUnited States generalredneck
  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024