Contrib.social

Access to registrations even when host isn't configured

Open on Drupal.org β†’
Created on 14 February 2025, about 2 months ago

Problem/Motivation

In \Drupal\registration\RegistrationAccessControlHandler::checkAccess, there is no explicit check to grant access to users with the 'administer registration' permission. This means that administrators are denied access to registrations if the host entity is misconfigured or disabled.

This becomes problematic in scenarios such as:

  • During migration from Drupal 7, where registrations might have been created under incorrectly configured or later disabled registrations on host entities (nodes).
  • When an administrator needs to troubleshoot or fix registrations but is met with a "permission denied" page.

Steps to reproduce

  1. As an administrator with the 'administer registration' permission, attempt to access a registration where the host entity is disabled or misconfigured.
  2. Observe that access is denied instead of allowing the administrator to manage the registration.

Proposed resolution

Modify \Drupal\registration\RegistrationAccessControlHandler::checkAccess to explicitly check for the 'administer registration' permission and grant access if the user has it. This would allow administrators to access registrations even when the host entity is misconfigured or disabled.

Remaining tasks

  • Update RegistrationAccessControlHandler::checkAccess to include a check for 'administer registration'.
  • Write tests to ensure administrators can access registrations in cases where the host entity is unavailable.
  • Update documentation to reflect the new behavior.

User interface changes

No direct UI changes, but administrators will now be able to access registrations that were previously blocked by access control restrictions.

✨ Feature request
Status

Active

Version

3.3

Component

Registration Core

Created by

πŸ‡¨πŸ‡¦Canada joelpittet Vancouver

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @joelpittet
  • Comment about 2 months ago β†’
    πŸ‡¨πŸ‡¦Canada joelpittet Vancouver

    This is trickier than I thought, after the access check allowing them through you run into:
    Error: Call to a member function getSetting() on null in Drupal\registration\Plugin\Field\FieldWidget\RegistrationSpacesWidget->formElement() (line 71 of modules/contrib/registration/src/Plugin/Field/FieldWidget/RegistrationSpacesWidget.php).

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman

    Interesting use case. Indeed, the module assumes a registration is for something (an event etc), and the host entity is that something. So it is not equipped to deal with it not existing or not configured. If not configured, wouldn't you just configure the host to fix? If not existing, you have a different problem. Soon the ability to "change host" will be live via a new registration_change_host submodule. This sounds like an opportunity to have that module allow for no old host - so a new one can be assigned.

  • Comment about 2 months ago β†’
    πŸ‡¨πŸ‡¦Canada joelpittet Vancouver

    @john.oltman, looking at the data there were only 8 events that had registrations where they were disabled after the event it would seem. I fixed those manually on D7 to deal with them. The real problem is where it looks like someone changed the registration type half way through, this is giving me similar access denied, it would seem. Maybe the check can be loosened? The saving grace here is that I can see the registration data on "View" even though I can't edit, so priority wise that mitigates the problem a bit.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States john.oltman

    The bigger issue seems to be cases where the registration type was changed mid-way through, which appears to be causing access denied errors.

    Are you referring to the value of the registration field on the host entity? Or the registration type assigned to various registrations.

  • Comment about 2 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom jonathanshaw Stroud, UK

    In \Drupal\registration\RegistrationAccessControlHandler::checkAccess, there is no explicit check to grant access to users with the 'administer registration' permission.

    No. But we do have:
    $result = parent::checkAccess($entity, $operation, $account);

    And EntityAccessControlHandler checks this permission:

    protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
...
    if ($admin_permission = $this->entityType
        ->getAdminPermission()) {
        return AccessResult::allowedIfHasPermission($account, $admin_permission);
    }
...
}

    But we call that parent check AFTER we check for host/configured.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024