- Issue created by @tomas.teicher
- πΈπ°Slovakia tomas.teicher
Sorry, my bad, everything works OK, I misunderstood $access->isAllowed() method.
Issue can be closed (works as designed).
DeleteAction::access method can grant access even if parent method denies it.
Related source code:
// Bail if the object is not an entity or access is denied.
if (!$object instanceof EntityInterface || !$access->isAllowed()) {
return $return_as_object ? $access : $access->isAllowed();
}
I think it is a typo, condition above is suggesting to forbid the access.
I suggest this adjustment:
if (!$access->isAllowed()) {
return $return_as_object ? $access : $access->isForbidden();
I think the condition for object type can be skipped too, because the class extends Drupal\Core\Action\Plugin\Action\EntityActionBase that probably has that check (but I didn't check this part).
I didn't face the problem with access practically, I have just found it in code. Drupal probably use to request $access variable as object, so the bug does not occur. That's why I set it as minor bug.
No other changes needed.
No changes needed.
No changes needed.
No changes needed.
Needs work
1.2
Code
Sorry, my bad, everything works OK, I misunderstood $access->isAllowed() method.
Issue can be closed (works as designed).