Don't allow users to translate content they can't edit

Created on 21 August 2024, 3 months ago

Problem/Motivation

If a user has the permission 'translate editable entities' but they can't edit a particular content type/node, the user still sees the "Translate" operation for that node.

Steps to reproduce

Install a new Drupal site.
Enable the "Content Translation" module.
Go to /admin/config/regional/content-language.
Enable "Content" the "Custom language settings" field.
Expand "Content" and check the box beside "Article" and "Basic page".
Save configuration.
Go to /admin/config/regional/language.
Add a new language.
Create a new user with the "Content editor" role.
Edit permissions for the "Content editor" role.
Enable the "Create translations", "Delete translations", "Edit translations", and "Manage translations for any entity that the user can edit" permissions.
Disable the "Basic page: Create new content", "Basic page: Delete own content", "Basic page: Delete revisions", "Basic page: Edit any content", and "Basic page: Edit own content" permissions.
Save permissions.
As an Administrator, create a published Basic page node.
In an incognito window, login as the new Content editor user.
Go to /admin/content.
Verify you still see the "Translate" operation button.

Proposed resolution

In content_translation.module, content_translation_translate_access(), the condition added for the 'translate editable entities' permission paired with the 'update' access check of the entity can be false, but the overall condition will be true.

We need to be able to negate the condition if user has the 'translate editable entities' permission but doesn't have 'update' access for the entity. I think this can be done in a second if statement based on the current $condition variable being true.

Remaining tasks

Review issue and proposed patch.

User interface changes

None.

Introduced terminology

None.

API changes

None.

Data model changes

None.

Release notes snippet

🐛 Bug report

Status

Closed: works as designed

Version

11.0 🔥

Component

Content translation →

Last updated about 8 hours ago

No maintainer

Created by

🇺🇸United States weekbeforenext Asheville, NC

Live updates comments and jobs are added and updated live.

Merge Requests

!9285Don't allow users to translate content they can't edit
Closed
🇺🇸United States weekbeforenext
updated 3 months ago

Comments & Activities

Issue created by @weekbeforenext
Merge request !9285#3469550: Don't allow users to translate content they can't edit → (Closed) created by weekbeforenext
Pipeline finished with Success
3 months ago
Total: 672s
#260805
Comment 3 months ago →
🇺🇸United States weekbeforenext Asheville, NC
Digging a little more into the code from #3469550 I'm understanding that I can revoke the "Create translations", "Delete translations", and "Edit translations" and leave the "Manage translations for any entity that the user can edit" permission enabled to get the functionality to work as I expect it to...

My bad. Closing this, but I hope it helps others that run across this issue.
Status changed to Closed: works as designed 3 months ago9:53pm 21 August 2024
Comment 3 months ago →
System Message
weekbeforenext → closed merge request !9285

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024

Don't allow users to translate content they can't edit

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Merge Requests

!9285Don't allow users to translate content they can't editClosed

Comments & Activities

!9285Don't allow users to translate content they can't edit
Closed