User is forced to has Bypass Paragraphs type content access control permission to add paragraph

Created on 26 September 2024, 3 months ago

Problem/Motivation

When a user has permissions to add a number of paragraph and a paragrah entity reference have then the user cannot add it using Frontend Editing module due to the validation check to display the button (allowAdd) is not checking the if the user has creation access to a bundle (aka paragraph type).

Doing a trace and I found at the very end Frontend Editing is executing paragraphs_type_permissions_paragraph_access and the code that check the access

  // If the current user has access to this type/operation, return access
  // allowed, forbidden otherwise.
  if ($account->hasPermission('bypass paragraphs type content access') || $account->hasPermission($operation . ' paragraph content ' . $type)) {
    $permissions[$account->id()][$type][$operation] = AccessResult::allowed()->cachePerPermissions();
  }
  else {
    $permissions[$account->id()][$type][$operation] = AccessResult::forbidden()->cachePerPermissions();
  }

as can be seen if the user does not have bypass permissions it checks $op . ' paragraph content ' . $type BUT $type is NULL so it check a permission that does not exists create paragraph content.

Going back in code I see the $type comes from $entity_bundle variable that it should be passed to EntityAccessControlHandler::createAccess function but it is NULL .
So createAccess is call from Frontend Editing module FieldREferenceHelper::allowAdd and it seems that entity_bundle is being pass as NULL

// Check if user is allowed to create items of referenced type.
    return $this->entityTypeManager
      ->getAccessControlHandler($referenced_entity_type)
      ->createAccess(NULL, $this->currentUser, [], TRUE);

forcing to grant the user the bypass permissions to be able to see the button to add paragraphs.

Steps to reproduce

* Create a entity paragraph reference field in a content type (with unlimited references)
* allow add at least 2 paragraphs types
* Create/use an user which a rol that allow it to create one of the paragraphs referenced by the field created above.
* At this point, the user should be allowed to add one of the paragraphs of the field if goes to normal editing form, let's create one.
* Configure Frontend Editing to allow the user use it and add paragraph and change the order.
* Go to the created content
* Check the user cannot add any paragraph
* Go to permissions and set Bypass Paragraphs type content access control permission to the role the user has.
* Go to the created content
* Check the user can add paragraphs using Frontend Editing

Proposed resolution

I think it is needed check if the user has permissions to add at least one of the allowed paragraph in the referenced field configuration.
If the user is granted in one of the paragraph, the button will be displayed and after click on it, the form will be displayed and will allow add only the allowed paragraph bundles.

πŸ› Bug report
Status

Active

Version

2.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain fran seva

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024