Flag permissions have no effect

Created on 7 April 2024, 9 months ago
Updated 23 April 2024, 8 months ago

Flag permissions for own items or profile have no effect

Install Drupal 10.
Install the Flag module.
Expose additional permissions for Flag Bookmark and Flag Follower.
Do not give permissions to users to flag own items or own profile.
They can still do it.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Component

Flag Follower

Created by

🇫🇷France Stado

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @Stado
  • 🇬🇧United Kingdom aaron.ferris

    It looks like the access condition in the UserFlagType class needs either the parent access result, OR the own/other profile permission.

    In this configuration, unless im missing something, the parent::actionAccess will return Allowed and the 'own' items result will be neutra, even though the user actually doesn't have the permission.

    $access = parent::actionAccess($action, $flag, $account, $flaggable);
    
        if ($flaggable && $this->hasExtraPermission('owner')) {
          // Permit selfies.
          $permission = $action . ' ' . $flag->id() . ' own user account';
          $selfies_permission_access = AccessResult::allowedIfHasPermission($account, $permission)
            ->addCacheContexts(['user']);
          $account_match_access = AccessResult::allowedIf($account->id() == $flaggable->id());
          $own_access = $selfies_permission_access->andIf($account_match_access);
          $access = $access->orIf($own_access);
  • Merge request !62Resolve #3439272 "Flag permissions have" → (Closed) created by aaron.ferris
  • Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.3 & MySQL 5.7
    last update 9 months ago
    Waiting for branch to pass
  • 🇬🇧United Kingdom aaron.ferris

    Not convinced that push is the way to go on this to be honest, but it does resolve this issue (unsure of any consequences)

    1. With own account flag permission off = no access to own account flag
    2. With own account flag permission on = access to own account flag
    3. With other accounts flag permission on = access to other account flags
    4. With other accounts flag permission off = no access to other account flags

  • Pipeline finished with Failed
    9 months ago
    Total: 163s
    #140188
  • 🇹🇭Thailand AlfTheCat

    I'm experiencing this issue, and when creating a new (global) flag and trying to set the permissions for it the site throws a WSOD on saving the permissions with error:

    RuntimeException: Adding non-existent permissions to a role is not allowed. The incorrect permissions are "flag tec_draft_order_excel_lover", "unflag ***". in Drupal\user\Entity\Role->calculateDependencies() (line 207 of /var/www/***/core/modules/user/src/Entity/Role.php).

    I can't make new flags available anymore to any users, only UID1 is able to see and use flags.

Production build 0.71.5 2024