RoleDelegationRemoveRoleUser and RoleDelegationAddRoleUser access() method does not honor $return_as_object parameter

Created on 10 December 2024, 16 days ago

Problem/Motivation

RoleDelegationRemoveRoleUser and RoleDelegationAddRoleUser plugins override the patrent's access() method to allow to assign roles to users who do not have the administer users permission.

However, the code inside the method, assumes that $return_as_object parameter is always a boolean, hence giving false Access Denied errors to users with the permission mentioned above.

Steps to reproduce

Enable Role Delegation module
Create a View with VBO actions to add or remove roles from selected users
Run the view with a user with Administer Users permission, but not Role Delegation specific permissions
The VBO is returning an unexpected Access Denied error

Proposed resolution

Fix code to honor the $return_as_object parameter.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇪🇸Spain plopesc Valladolid

Live updates comments and jobs are added and updated live.

Merge Requests

!21RoleDelegationRemoveRoleUser and RoleDelegationAddRoleUser access() method does not honor $return_as_object parameter
Open
🇪🇸Spain plopesc
updated 14 days ago

Comments & Activities

Issue created by @plopesc
Merge request !21Issue #3492926: RoleDelegationRemoveRoleUser and RoleDelegationAddRoleUser... → (Open) created by plopesc
Pipeline finished with Failed
16 days ago
Total: 158s
#364465
Comment 16 days ago →
🇪🇸Spain plopesc Valladolid
Pipeline finished with Canceled
15 days ago
Total: 152s
#366298
Pipeline finished with Failed
15 days ago
Total: 219s
#366302
Comment 14 days ago →
🇺🇸United States mikohl
RTBC

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024