- Issue created by @larowlan
- ๐ฎ๐ณIndia Akhil Babu Chengannur
Akhil Babu โ made their first commit to this issueโs fork.
- ๐ฎ๐ณIndia Akhil Babu Chengannur
Function definition of was updated in https://www.drupal.org/project/drupal/issues/3395404 ๐ Information disclosure access bypass for revision log fields when the JSON:API module is enabled Fixed
- ๐ฎ๐ณIndia Akhil Babu Chengannur
This means that all fields are editable if the user has 'update' access to the entity.
Is this valid now? Update access is checked only for the revision log field in the new definition.
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { if (!$items instanceof FieldItemListInterface || $operation !== 'view') { return AccessResult::allowed(); } $entity = $items->getEntity(); $isRevisionLogField = $this->entityType instanceof ContentEntityTypeInterface && $field_definition->getName() === $this->entityType->getRevisionMetadataKey('revision_log_message'); if ($entity && $isRevisionLogField) { // The revision log should only be visible to those who can view the // revisions OR edit the entity. return $entity->access('view revision', $account, TRUE) ->orIf($entity->access('update', $account, TRUE)); } return AccessResult::allowed(); } - ๐ฆ๐บAustralia larowlan ๐ฆ๐บ๐.au GMT+10
I think its fine to say 'With a few exceptions, most fields return access result allowed by default'
There are other exceptions in e.g. comments
- ๐จ๐ฆCanada Charlie ChX Negyesi ๐Canada
Is this valid now?
yes it is. Let me emphasize a part of the code you pasted above:
if ($operation !== 'view') { return AccessResult::allowed(); }What needs to be documented here is you can not rely on fieldAccess alone to check whether a field is accessible by a user, it must be andIf'd with entity access.
- Merge request !5857Update Documentation of EntityAccessControlHandler.php โ (Open) created by Akhil Babu
- Status changed to Needs review
over 1 year ago 9:34am 18 December 2023 - ๐ฎ๐ณIndia Akhil Babu Chengannur
Thanks @larowlan and @Ghost of Drupal Past
I have updated function documentation as per the inputs.
- Status changed to Needs work
over 1 year ago 5:29pm 18 December 2023 - ๐บ๐ธUnited States smustgrave
Can it be documented in the issue summary why
\Drupal\Core\Field\FieldItemList::access
does not need to be updated.
