Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Anyone with permission to edit nodes where an entity reference field is added to select system_tag entities, can update this field.
This module is more of a 'power user' module in a way that a user with limited knowledge can break the system tags.
Steps to reproduce
- Add entity_reference field targeting system_tag entities to a content type.
- Create a node of this type as a non-admin user.
Proposed resolution
- Add 'Assign system tags' permission.
- Use this permission to shield access to entity_reference fields targeting system_tag entities.
Remaining tasks
?
User interface changes
N/A
API changes
N/A
Data model changes
N/A
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | system_tags-3229825-7.patch | 1.44 KB | lammensj |
| #7 | interdiff.txt | 1.18 KB | lammensj |
| #5 | system_tags-3229825-5.patch | 1.45 KB | kensae |
Comments
Comment #2
stefdewa commentedPatch adds a permission 'Assign system tags' and hooks into field access to hide the field for not allowed users.
Comment #3
kensae commentedThis extra permisson is very usefull indeed.
I've rewritten the patch slightly:
Comment #4
kensae commentedComment #5
kensae commentedIn the previous patch I forgot to specify the entity reference target type, which causes permission issues with other entity references.
Comment #6
lammensj commentedThank you for your collaboration. I'll check as soon as I find the time :-)
Comment #7
lammensj commentedPatch looks fine, just applied some code styling.
Comment #9
lammensj commented