In MicroContentAccessHandler.php, ‘own’ content is determined by $microcontent->getRevisionUserId()
case 'update':
return AccessResult::allowedIfHasPermission($account, sprintf('update any %s microcontent', $microcontent->bundle()))
->orIf(AccessResult::allowedIf($account->hasPermission(sprintf('update own %s microcontent', $microcontent->bundle())) && $microcontent->getRevisionUserId() === $account->id())
->cachePerPermissions()
->cachePerUser());
Use of the revision owner user id here is wrong. Or, if intentional, it’s not how Drupal core and contrib modules generally work - they determine “own” content based on the author/owner value of the entity. Example for core media module in MediaAccessControlHandler.php
$is_owner = ($account->id() && $account->id() === $entity->getOwnerId());
// ... later ...
case 'update':
if ($account->hasPermission('edit any ' . $type . ' media')) {
return AccessResult::allowed()->cachePerPermissions();
}
if ($account->hasPermission('edit own ' . $type . ' media') && $is_owner) {
return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity);
Impact:
If a user’s edit and delete permissions are limited to edit-own and delete-own, they lose that access if an admin (etc) edits the item, because then the revision author would become that person.
Use $microcontent->getOwnerId() instead of $microcontent->getRevisionUserId()
I've built a patch, to be submitted shortly.
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #3
andy inman commentedI have learned: don't right-click the Open MR button hoping to check the URL - that will trigger the button action.
Comment #4
larowlanThis change looks reasonable to me.
Thanks for the MR.
Will merge if tests pass
Comment #5
larowlanLooks like there's a failing test, likely needs updating to match new logic
Comment #6
andy inman commentedConfirmed - access tests were checking edit-own and delete-own permission based on revision uid rather than entity uid. I've changed that. I've also added a couple of tests cases to check update and delete when user has the edit/delete-own permission but is not the owner.
Comment #7
andy inman commentedBefore marking as RTBC, I think it's worth at least considering the possibility that somebody out there may have an access control strategy that would be broken by these changes. That seems very unlikely to me, but I suppose it's not impossible. In the worst case, people could get edit/delete access to micro-content that they're not supposed to be able to change. There's no simple solution - I'm just suggesting a pause for thought - maybe wait for a bit more input from others.
Comment #9
acbramley commentedThanks very much @Andy Inman for the thorough fix and test coverage. I agree this is wrong (and I wrote it originally).
Your points in #7 are valid, but I think as long as we spell it out in the release notes we're good hopefully!
Will merge and release on green.
Comment #10
simeYeah the comparison to Media access checking is a good one - patch works for me.
Comment #12
acbramley commentedAvailable in 8.x-1.6