"Edit search api exclude entity" is currently useless

Created on 29 October 2024, about 2 months ago

Problem/Motivation

The Edit search api exclude entity permission is currently useless due to the way, the access check is implemented:

function search_api_exclude_entity_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL): AccessResultInterface {
  if ($field_definition->getType() == 'search_api_exclude_entity' && $operation == 'edit') {
    return AccessResult::allowedIfHasPermission($account, 'edit search api exclude entity');
  }
  return AccessResult::neutral();
}

Unfortunately AccessResult::allowedIfHasPermission() returns allowed if the permission is set, but neutral, if the permission is not set (see that method's documentation for details) - thus this field access hook implementation is ignored for users without the permission.

Steps to reproduce

  • Configure search API exclude field on any entity type/bundle
  • Create a user without the Edit search api exclude entity permission but with the permission to create and/or edit the entity type/bundle with the search API exclude field
  • Field is visible/usable, even though the user does not have the appropriate permission

Proposed resolution

  • Rework field access hook implementation to return AccessResultForbidden, if permission is not set for current user

Remaining tasks

  • Create issue fork and MR to fix this issue

User interface changes

n/a

API changes

n/a

Data model changes

n/a

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇩🇪Germany hctom

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024