- Issue created by @jessebaker
- π§πͺBelgium wim leers Ghent π§πͺπͺπΊ
As long as we agree on what the server will pass to the client in π Pass current user's XB permissions to the XB UI Active , work on this could begin in parallel. But that probably makes little sense?
- πΊπΈUnited States mglaman WI, USA
π Pass current user's XB permissions to the XB UI Active is finished, can the updated and agreed upon format be updated here? Are we using raw permissions from Drupal or should it be createPage, etc because that is not what was done in the other ticket.
- πͺπΈSpain penyaskito Seville π, Spain πͺπΈ, UTC+2 πͺπΊ
@mglaman That includes the config-related permissions, which are all-or-nothing so are just flags. But we might want to still postpone on π Update `ApiContentControllers::list()` to expose available content entity operations in `meta` Active for the content related ones.
- π§πͺBelgium wim leers Ghent π§πͺπͺπΊ
#4++
Given that this could otherwise result in information disclosure vulnerabilities (not access bypass because the server side pieces are taken care of, at least once π [PP-1] Add entity access checks to routes that deal with entities Postponed + π [PP-1] Update `experience_builder.(experience_builder|api.layout.get) routes` to respect content entity update/field edit access of edited XB field Active are done), going ahead and tagging this a blocker for π± Milestone 1.0.0-beta1: Start creating non-throwaway sites Active .
- π§πͺBelgium wim leers Ghent π§πͺπͺπΊ