- Issue created by @johnvb
The route for a content type's content edit form seems to have an incorrect entity access requirement, resulting in permissions problems, particularly noticeable when used alongside the Group module.
This is tricky to reproduce as I've only managed to reproduce it when interacting with the Group module and custom code is required to allow Content Entity Builder content to be added to Group module groups. However the proposed resolution is a simple change which brings the routing access requirements inline with the core Node module.
On an installation of Drupal 10.4.4, with Content Entity Builder 8.x-1.2 and Group 3.3.4. :
Set up a content entity type as normal, so you are able to create content for a custom type.
You will need to code a Group Relation plugin (GroupRelationBase and DeriverBase) in order for your content entity type to be available for the Group module.
Set up the Group module so you are able to create groups of a type. On the group type's set available content page, install the plugin you created in the step above.
Set up the standard Drupal permissions so that all users have "Access content entity permission" for your content entity type. Also set it up so that authenticated users have "Edit own" permissions for the content entity type, but not "Edit any".
On the group type permissions (admin/group/types/manage/{group type}/permissions), set member permissions so that they can "Edit any" for the content type you created.
Now create a group and add another member. Create some content using the content entity type you created and add it to the group.
Login as the other group member.
Expected outcome - The other group member should be able to view the content item added in the step above as well as edit it (because the group grants group members permission to edit any content of this type).
Observed outcome - the other group member can view, but not edit the content item, even though the group is set up so they should be able to.
In the ContentEntityBuilderRoutes class, there is code which adds various routes for each content type created. The route for the content edit form has an access requirement set as follows:
<?php
$route = new Route(
// '/' . $content_type_id. '/{' . $content_type_id . '}/edit'.
$path_edit,
[
'_entity_form' => $content_type_id . '.edit',
'_title' => 'Edit ' . $content_type_label,
],
[
//'_permission' => "edit any $content_type_id content entity",
'_entity_access' => "$content_type_id.edit",
]
);
?>Note the setting for _entity_access which appends ".edit" to the content type ID. Compare this to the NodeRouteProvider class in the code Node module where you can see that the entity access requirement has '.update' appended rather than '.edit':
<?php
$route = (new Route('/node/{node}/edit'))
->setDefault('_entity_form', 'node.edit')
->setRequirement('_entity_access', 'node.update')
->setRequirement('node', '\d+')
->setOption('_node_operation_route', TRUE);
?>Changing the access requirement in the ContentEntityBuilderRoutes class to "$content_type_id.edit" resolves the issue so that the assigned Group module permissions now correctly interact with the global permissions and group members are able to edit the group content.
Active
1.2
Code