- Issue created by @penyaskito
- Merge request !1192#3532454: Add field access check on `ApiAutoSaveController::post()` β (Open) created by penyaskito
- π§πͺBelgium wim leers Ghent π§πͺπͺπΊ
Test coverage looks great already π
- πΊπΈUnited States tedbow Ithaca, NY, USA
Marking as critical see https://git.drupalcode.org/project/experience_builder/-/merge_requests/1... in π Add test coverage for access exception in \Drupal\experience_builder\ClientDataToEntityConverter::checkPatchFieldAccess Active
Basically
\Drupal\experience_builder\Controller\ApiAutoSaveController::postuse to call\Drupal\experience_builder\ClientDataToEntityConverter::convertwhich did field access checks but it no longer does since π Page status changes from "Published" to "Changed" even when no actual changes are made Activeso basically 1 user with edit permission could get a field update into the auto-save and then another user without field update permission could publish the field update. I think the product goal is that user publishing should have all the permissions to do all the updates that happen on publish
We should move the test coverage from #3527156 https://git.drupalcode.org/project/experience_builder/-/blob/fe773efe8f3... to this issue, or make sure we have the same coverage
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
penyaskito β credited larowlan β .
- πͺπΈSpain penyaskito Seville π, Spain πͺπΈ, UTC+2 πͺπΊ
- πͺπΈSpain penyaskito Seville π, Spain πͺπΈ, UTC+2 πͺπΊ
Marking for preliminary review. We might want to do the trait for checking the field as Lee suggested, but could perfectly be part of the follow-up we wanted to open anyway and clear another critical beta blocker.
Leaving for Wim to evaluate.
