Permissions to control who can edit or delete value revisions

Created on 28 September 2024, 3 months ago

Problem/Motivation

I am not sure if I am thinking about this correctly at the moment, so help me out. Let's say user A adds a value to a field that is tracked by field value revisions, and they save the field. User B then comes along and edits the form. They now have the option to edit the previously submitted value.

Proposed resolution

We could create a permission that allows someone to control who can edit tracked values. It may be the standard set:

  • Edit value revisions
  • Edit own value revisions
  • Delete value revisions
  • Delete own value revisions

I could also understand if it were that no one should be allowed to edit or delete existing values, but rather there was some way of validating or invalidating those revisions.

User interface changes

Depending on direction, this could include

  • new permissions to configure
  • hiding or somehow preventing editing of values by those who do not have the permission
✨ Feature request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States MegaKeegMan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @MegaKeegMan
  • πŸ‡ΊπŸ‡ΈUnited States MegaKeegMan

    I did not mention in the original comment, but I was considering that we would not need a permission for create, given that I think someone who is allowed to edit a tracked field's parent entity should be allowed to create a value revision for that field.

  • πŸ‡ΊπŸ‡ΈUnited States mlncn Minneapolis, MN, USA

    My first thought is this is quite out of scope for this module since a major feature is that it does not need to override the form field widgets to do its work, it simply tracks things.

    But it would make it easy to add this sort of restriction, which could and should live in a separate module, though this could provide an API to look up the information so you don't have to go straight from the database to get:

    (value for a) delta -> revision it came from -> uid -> role

    and then you could form alter the specific deltas (i have not grokked the rules for this as you can tell from my attempts to blank out our meta fields.

    You would have to lock multivalue fields from changing positions in the form.

    So any rules you want to work out regarding who can edit whoms could be done.

Production build 0.71.5 2024