The "from template" page should not direct check for a permission when building the list of templates.

Created on 31 July 2025, 3 days ago

Problem/Motivation

When building the list of templates for the "from template" page the 'clone [bundle] content' permission is checked directly. This skips additional access checks that might be in place leading to templates being shown that the user cannot actually clone from.

!$this->currentUser()
          ->hasPermission('clone ' . $bundle . ' content')

Steps to reproduce

Assuming you have some content templates in place already, implement a custom access check and deny access to the 'clone' operation on nodes. Verify that templates are shown on the "from template" page but that no clone can be created from them.

Proposed resolution

Use a proper access check on the source node for the template:

!$template->get('field_source')->entity->access('clone', NULL)

Remaining tasks

- Create MR
- Review MR
- Merge MR

User interface changes

N/A

API changes

N/A

Data model changes

N/A

🐛 Bug report

Status

Active

Version

1.2

Component

Code

Created by

🇳🇱Netherlands ricovandevin

Live updates comments and jobs are added and updated live.

Merge Requests

!8The "from template" page should not direct check for a permission when building the list of templates.
Open
🇳🇱Netherlands ricovandevin
updated 3 days ago

Comments & Activities

Issue created by @ricovandevin
Merge request !8Moved from directly checking permission to using access check. → (Open) created by ricovandevin
Comment 3 days ago →
🇳🇱Netherlands ricovandevin
Comment 1 day ago →
🇩🇪Germany a.dmitriiev
Thank you for reporting this bug. You have a good point, the check for access should be not only from one permission. I will review this MR soon.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024