Contrib.social

RoleDelegationRemoveRoleUser and RoleDelegationAddRoleUser access() method does not honor $return_as_object parameter

Open on Drupal.org β†’
Created on 10 December 2024, about 2 months ago

Problem/Motivation

RoleDelegationRemoveRoleUser and RoleDelegationAddRoleUser plugins override the patrent's access() method to allow to assign roles to users who do not have the administer users permission.

However, the code inside the method, assumes that $return_as_object parameter is always a boolean, hence giving false Access Denied errors to users with the permission mentioned above.

Steps to reproduce

  • Enable Role Delegation module
  • Create a View with VBO actions to add or remove roles from selected users
  • Run the view with a user with Administer Users permission, but not Role Delegation specific permissions
  • The VBO is returning an unexpected Access Denied error

Proposed resolution

Fix code to honor the $return_as_object parameter.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain plopesc Valladolid

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024