Contrib.social

Per-bundle view permissions are not checked for unpublished entities

Open on Drupal.org β†’
Created on 14 May 2024, about 1 month ago

Problem/Motivation

Users with a bundle-specific view permission on unpublished entities (e.g. Β« View unpublished Alert Storage entities. Β») obtain a 403 error when trying to visit /storage/{storage_id} (when the Β« Allow direct viewing of entities Β» option is enabled in the storage type edit form) or /storage/{storage_id}/translations. The dblog event states that Β« The 'view unpublished storage entities' permission is required. Β», which shows the bundle-specific permission is not checked.

Proposed resolution

Add per-bundle permissions checks for unpublished entities in the StorageAccessControlHandler.

πŸ› Bug report
Status

Needs review

Version

1.3

Component

Code

Created by

πŸ‡«πŸ‡·France yohansenso

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024