Contrib.social

[PP-1] Update `experience_builder.(experience_builder|api.layout.get) routes` to respect content entity update/field edit access of edited XB field

Open on Drupal.org β†’
Created on 31 March 2025, 2 days ago

Overview

This is a subset of the original scope of πŸ“Œ [PP-1] Add entity access checks to routes that deal with entities Postponed .

Currently, the access administration pages permission is hardcoded in a few places critical to loading the XB UI:

experience_builder.experience_builder:
  path: '/xb/{entity_type}/{entity}'
…
  requirements:
    _permission: 'access administration pages'

+

experience_builder.api.layout.get:
  path: '/xb/api/layout/{entity_type}/{entity}'
  defaults:
    _controller: 'Drupal\experience_builder\Controller\ApiLayoutController::get'
  requirements:
    _permission: 'access administration pages'
…

Proposed resolution

  1. Update experience_builder.experience_builder to use _entity_access
  2. Update experience_builder.api.layout.get to respect entity update/field edit access of edited XB field:
    1. entity update: use the _entity_access route requirement, which supports dynamic entity types
    2. field edit: in the ::get() method, call ::fieldAccess(operation: 'edit') β€” this is not available as a route requirement (plus the XB field name must first be resolved, which can kinda only happen in the controller)

  3. User interface changes

    1. Grant the access administration pages permission to the anonymous user.
    2. As the anonymous user, access /xb/node/1/editor, which is an article node that the anonymous user cannot access.
      • HEAD: it loads just fine!
      • With this issue: 403.
πŸ“Œ Task
Status

Active

Version

0.0

Component

Page builder

Created by

πŸ‡§πŸ‡ͺBelgium wim leers Ghent πŸ‡§πŸ‡ͺπŸ‡ͺπŸ‡Ί

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024