Contrib.social

StateTransitionFormFormatter does not check field level permissions

Open on Drupal.org →
Created on 24 April 2025, 3 days ago

Problem/Motivation

The StateTransitionFormFormatter does not check field level access controls before displaying the transition form.

This can lead to the transition form being incorrectly diplayed to and used by Users who do not have permission to use it.

Steps to reproduce

  • Install State Machine
  • Add a Workflow and a Field
  • Configure the field display to use the StateTransitionFormFormatter
  • Use hook_entity_field_access to deny the "edit" operation for all users on the field (see below)
  • View the entity and see that the transition form is still visible and usable.
function my_module_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, ?FieldItemListInterface $items = NULL) {
  if ($field_definition->getName() == 'field_my_state_field' && $operation == 'edit') {
    return AccessResult::forbidden();
  }
  return AccessResult::neutral();
}

Proposed resolution

Check edit field permissions in the StateTransitionFormFormatter (along side the existing entity access checks) and only render the form if the current user has entity and field level permission.

🐛 Bug report
Status

Active

Version

1.12

Component

Code

Created by

🇬🇧United Kingdom lind101

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024