DeleteAction class can return wrong access result

Created on 7 August 2024, 8 months ago

Problem/Motivation

DeleteAction::access method can grant access even if parent method denies it.

Steps to reproduce

Related source code:


 // Bail if the object is not an entity or access is denied.
    if (!$object instanceof EntityInterface || !$access->isAllowed()) {
      return $return_as_object ? $access : $access->isAllowed();
    }

I think it is a typo, condition above is suggesting to forbid the access.

Proposed resolution

I suggest this adjustment:

 if (!$access->isAllowed()) {
      return $return_as_object ? $access : $access->isForbidden();

I think the condition for object type can be skipped too, because the class extends Drupal\Core\Action\Plugin\Action\EntityActionBase that probably has that check (but I didn't check this part).

I didn't face the problem with access practically, I have just found it in code. Drupal probably use to request $access variable as object, so the bug does not occur. That's why I set it as minor bug.

Remaining tasks

No other changes needed.

User interface changes

No changes needed.

API changes

No changes needed.

Data model changes

No changes needed.

🐛 Bug report

Status

Needs work

Version

1.2

Component

Code

Created by

🇸🇰Slovakia tomas.teicher

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @tomas.teicher
Comment 8 months ago →
🇸🇰Slovakia tomas.teicher
Sorry, my bad, everything works OK, I misunderstood $access->isAllowed() method.
Issue can be closed (works as designed).
Issue was unassigned.
Status changed to Closed: works as designed 2 months ago4:00pm 10 February 2025
Comment 2 months ago →
🇱🇻Latvia Phonoman
You can and should close your own issues if they're not valid anymore.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024