Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When looking into this issue it doesn't appear that a definitive 'forbidden' AccessResult is ever returned. If none of the permission checks pass in this case, the access is deferred until later by returning AccessResult::neutral() for both 'update' and 'delete'. Is this actionable as it stands?
Comments
Comment #2
Wim LeersComment #3
tstoecklerComment #4
owenbush CreditAttribution: owenbush commentedLooking at this at DrupalCon Nashville.
Comment #5
owenbush CreditAttribution: owenbush commentedWhen looking into this issue it doesn't appear that a definitive 'forbidden' AccessResult is ever returned. If none of the permission checks pass in this case, the access is deferred until later by returning AccessResult::neutral() for both 'update' and 'delete'. Is this actionable as it stands?
Comment #6
Wim LeersYes, you can add the helpful reason directly in the
return AccessResult::neutral()->cachePerPermissions();
calls :)Comment #7
msankhala CreditAttribution: msankhala as a volunteer and at Srijan | A Material+ Company commentedHere is a patch.
Comment #8
Wim LeersThank you, @msankhala!
Comment #9
alexpottCrediting @Wim Leers for reviews.
Committed 4022cc1 and pushed to 8.6.x. Thanks!