Add field access check on `ApiAutoSaveController::post()`

I think this is the intent?

Test coverage looks great already 👍

Marking as critical see https://git.drupalcode.org/project/experience_builder/-/merge_requests/1... in 📌 Add test coverage for access exception in \Drupal\experience_builder\ClientDataToEntityConverter::checkPatchFieldAccess Active

Basically \Drupal\experience_builder\Controller\ApiAutoSaveController::post use to call \Drupal\experience_builder\ClientDataToEntityConverter::convert which did field access checks but it no longer does since 🐛 Page status changes from "Published" to "Changed" even when no actual changes are made Active

so basically 1 user with edit permission could get a field update into the auto-save and then another user without field update permission could publish the field update. I think the product goal is that user publishing should have all the permissions to do all the updates that happen on publish

We should move the test coverage from #3527156 https://git.drupalcode.org/project/experience_builder/-/blob/fe773efe8f3... to this issue, or make sure we have the same coverage

penyaskito → credited larowlan → .

Marking for preliminary review. We might want to do the trait for checking the field as Lee suggested, but could perfectly be part of the follow-up we wanted to open anyway and clear another critical beta blocker.

Leaving for Wim to evaluate.

I think @tedbow's Q should be answered by test coverage. 😇 This is a security matter, so here it makes sense to err on the side of caution.

Tagging needs review. We need to verify #note_543156 and #note_545354 is the expected outcome.

Merged in upstream after 🐛 PHPUnit Next Major tests failing Active landed; resolved several conflicts.

Very nice end result, and @penyaskito showing off with code elegance rarely seen! 🤓🤩🙇

Automatically closed - issue fixed for 2 weeks with no activity.