Trash's hook_entity_access should account for the 'view label' operation

Created on 27 May 2025, 9 days ago

Problem/Motivation

Trash has a hook_entity_access with the following code:

  $cacheability = new CacheableMetadata();
  $cacheability->addCacheContexts(['user.permissions']);
  $cacheability->addCacheableDependency($entity);

  if (trash_entity_is_deleted($entity)) {
    // Check if users can view, restore or purge deleted entities.
    if (in_array($operation, ['view', 'view label']) && $account->hasPermission('view deleted entities')) {
      return AccessResult::allowed()->addCacheableDependency($cacheability);
    }
    elseif ($operation === 'restore' && $account->hasPermission('restore ' . $entity->getEntityTypeId() . ' entities')) {
      return AccessResult::allowed()->addCacheableDependency($cacheability);
    }
    elseif ($operation === 'purge' && $account->hasPermission('purge ' . $entity->getEntityTypeId() . ' entities')) {
      // Ensure that trashed entities can only be purged in the workspace they
      // were created in or in Live.
      if (\Drupal::hasService('workspaces.manager')
        && \Drupal::service('workspaces.information')->isEntitySupported($entity)
        && ($active_workspace = \Drupal::service('workspaces.manager')->getActiveWorkspace())
        && !\Drupal::service('workspaces.information')->isEntityDeletable($entity, $active_workspace)
      ) {
        $cacheability->addCacheableDependency($active_workspace);
        return AccessResult::forbidden()->addCacheableDependency($cacheability);
      }

      return AccessResult::allowed()->addCacheableDependency($cacheability);
    }
    else {
      return AccessResult::forbidden()->addCacheableDependency($cacheability);
    }
  }

  // If the entity is not deleted, the 'restore' and 'purge' operations should
  // not be allowed.
  return AccessResult::forbiddenIf($operation === 'restore' || $operation === 'purge')
    ->addCacheableDependency($cacheability);

It doesn't account for the 'view label' operation. It should treat that operation the same as it does for 'view'. Otherwise, if another module asks permission for that operation on a trashed entity, it will return access denied, even if they have permission to view the trashed entity.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States bkosborne New Jersey, USA

Live updates comments and jobs are added and updated live.

Merge Requests

!65Trash's hook_entity_access should account for the 'view label' operation
Merged
🇺🇸United States bkosborne
updated 7 days ago

Comments & Activities

Issue created by @bkosborne
Merge request !65Handle 'view label' operation the same as 'view' for checking access to trashed entity → (Merged) created by bkosborne
Comment 9 days ago →
🇺🇸United States bkosborne New Jersey, USA
Pipeline finished with Failed
9 days ago
Total: 212s
#507736
Comment 8 days ago →
🇺🇸United States bkosborne New Jersey, USA
test failures are unrelated
First commit to issue fork.
Pipeline finished with Skipped
7 days ago
#509720
Comment 7 days ago →
System Message

amateescu → committed c055c6f5 on 3.x authored by bkosborne →
Issue #3526839 by bkosborne: Trash's hook_entity_access should account...
Comment 7 days ago →
🇷🇴Romania amateescu
Merged into 3.x, thanks!

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024