"view event log entities" permission does not permit viewing log entities

Created on 28 February 2024, 9 months ago

Updated 13 March 2024, 8 months ago

Problem/Motivation

Assigning the "view event log entities" permission to a role allows that role to see the event log entity view - but clicking on an entity to bring up the details fails. The reason is that EventLogAccessControlHandler is checking the non-existent "view published event log entities" and "view unpublished event log entities".

Untested, but I see the access controller also references "delete event log entities" and "add event log entities" permissions which are not defined in events_logging.permissions.yml.

Steps to reproduce

Create a role with the "view event log entities" permission.
Assign the role to an account.
With this account, go to /admin/reports/view-event-log. The list of events will be displayed as expected.
Click on the linked "Name" from an event log entry, to open the event details. You will receive a 404 or "Permission denied" response.

Proposed resolution

For the immediate issue, I'll upload a patch to have the access controller simply check "view event log entities".

All the missing permissions should be added to the permission configuration. Although it might be worth thinking about whether they're needed - what's the use case for creating log entities through the admin UI? Why would they ever be unpublished?

Remaining tasks

User interface changes

N/A

API changes

N/A

Data model changes

N/A

🐛 Bug report

Status

RTBC

Version

2.0

Component

Code

Created by

🇺🇸United States mikeryan Murphysboro, IL, USA

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @mikeryan
Comment 9 months ago →
🇺🇸United States mikeryan Murphysboro, IL, USA
Comment 8 months ago →
🇮🇹Italy finex
Hi, the patch works for me. Thank you.
Status changed to RTBC 8 months ago8:57am 13 March 2024
Comment 8 months ago →
🇮🇹Italy finex

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024