Contrib.social

Add permissions to maintain registrations for editable host entities

Open on Drupal.org β†’
Created on 7 April 2024, 12 months ago
Updated 28 April 2024, 11 months ago

Problem/Motivation

I may be missing something, but currently it does not seem possible with Permissions to allow a user, who created the content on which the registration exists, to view, edit, and delete registrations for just the content that they have editable access to. My use case is that I have an Event content type that all basic users can create, and I would like for the creator of the specific Event to be able to view all registrants to that event but not be able to view them on Events that they didn't create.

Right now, if I have "Administer own registrations - View, edit and delete own registrations of this type. Manage registrations and registration settings of this type for host entities to which a user has edit access." and "Administer own settings - Manage registrations and registration settings of this type for host entities to which a user has edit access." then the Event creator is able to view the 'Manage Registrations' local action button, view the Registrations tab and access the Settings and Email registrants tabs. However, the Registrations tab only shows "Registration summary for Test event: 1 space is filled." To actually be able to view the registrant form inputs, you need to add "Administer registrations - View, edit and delete any registrations of this type. Manage registrations and registration settings of this type for all host entities." But that then opens it up to all users being able to view all registrants and information. It would be nice to have a permission to "View, edit and delete any registrations of this type. Manage registrations and registration settings of this type for host entities to which a user has edit access."

Steps to reproduce

Install Drupal core at `10.2.2` and drupal/registration at `3.1.4`. Go through all the basic steps to create a registration and put it on a content type. Sign in as a basic user with the permissions to "Administer own registrations", "Administer own settings", "Register self", "Update own registrations", and "View own registrations." Create a piece of content of the same type. Register yourself. View the registrations. You shouldn't be able to see yourself registered but just a message indicating that one person has registered.

Proposed resolution

Create a Permission that allows a user to "View, edit and delete any registrations of this type. Manage registrations and registration settings of this type for host entities to which a user has edit access." This would allow a person who created the content type on which the registration form lives to be able to see the individual registration information instead of just a message noting how many people have registered, but on any piece of content the user did not create, the user will not be able to manage registrations.

✨ Feature request
Status

Fixed

Version

3.1

Component

Registration Core

Created by

hannakras

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @hannakras
  • Comment 12 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman

    Thanks for the post. You are right that "Administer own registrations" gives you the Manage Registrations tab on editable host entities, with Registrations, Settings and Email Registrants as options, and that the Registrations option only gives you a summary. ("Administer own settings" and "Update own registrations" are implied by "Administer own registrations".) "View own registrations" gives you a Registrations tab when viewing your account, and the "Administer own" permission then gives you view/edit/delete to the items in that tab.

    Adding "View any registrations" permission turns the Manage Registrations summary into a listing. Adding "Edit any registrations" permission gives you edit access to the items in that listing. It is true though that giving "View any" and "Edit any" extends to any registration, not just registrations for the host entity the user has edit access to.

    I think what you are asking for is super-user access (view/edit/delete) to all the registrations for any host the user has edit access to. And no access to any other registrations. Basically to cordon off access to only registrations for host entities you authored or can edit. Can you confirm? I can see how the "Manage registrations for editable entities" permission might seem to imply this super-user access - but in reality it only gives you the Manage registrations tab, and then you have to add more permissions on top of it to get more than a summary.

  • Comment 12 months ago β†’
    hannakras

    Hey thanks for your responsiveness to this post and my previous one. Appreciate the change in 3.1.4.

    Yes, that's correct. I wanted a user to be able to view/edit/delete registrations on the host entities / content they create but not be able to view/edit/delete registrations on content they did not create. Cordoning off access to only registrations for host entities you authored or can edit, like you said.

    However, I think after reading your second paragraph and testing, I have a good enough solution. I was worried "View any registration" would provide too much access, but it seems like "Manage registrations for editable entities - Manage registrations of this type for host entities to which a user has edit access." paired with "View any registration" provides me enough functionality and the correct functionality.

    In my testing, "View any registration" seemingly does nothing without "Manage registrations for editable entities" because only the host entity editor gets the 'Manage Registrations' button. Together these allow only the editor of the host entity to view any registration. So pairing these two together works for me. The host entity editor can view a listing of the registrations instead of just a summary with these two permissions. The non-host cannot view anything because they do not get the 'Manage Registrations' button. I attached two screenshots showing the different views. Is this expected behavior?

    I'm fine with my users only having View capability and do not require Edit/Delete, so I can close this out unless you want to pursue this.

  • Comment 12 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman

    Yes that is expected and is working correctly. Let's leave this issue open though - the solution you crafted using the existing permissions is correct, but it has one drawback - someone can guess at the URL of a registration not on their manage registrations listing (replace the registration number with a different one) and in this way gain access to view a registration that you might not want them to be able to see. Could be ok for your site, but I might as well close this loophole. I'll get a new permission added soon for this case.

  • Comment 12 months ago β†’
    hannakras

    Ah yes makes sense. Good call. Thanks!

  • Comment 12 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman
  • Comment 12 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman
  • Merge request !43Issue #3439317: Add permissions to maintain registrations for editable host entities β†’ (Merged) created by john.oltman
  • Comment 12 months ago β†’
    System Message
  • Status changed to Fixed 12 months ago
  • Comment 12 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman

    Committed to dev branch and will be in the next release. Also added this draft change record β†’ . The record will be published at the time of the next release.

  • Comment 12 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman
  • Comment 11 months ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024