Problem/Motivation

The /node/add-microcontent route relies on the '_entity_create_any_access' => 'node' access check. As a result, users who have permission to create one or more regular node types, but no micronode types, are able to access the /node/add-microcontent route.

Once there, they are encouraged to create a new content type — something my test user is not authorized to do (which seems like a bug in Drupal\Core\EntityEntityCreateAnyAccessCheck?).

You have not created any content types yet. Go to the content type creation page to add a new content type.

Steps to reproduce

  1. Create a user with the ability to add at least one regular node type.
  2. Ensure that user does not have permission to create any micronode types.
  3. Visit /node/add-microcontent.

Proposed resolution

  • Extend AccessInterface to implement MicronodeCreateAnyAccessCheck.
  • Update MicronodeRouteSubscriber to use new access check.

Issue fork micronode-3380025

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

justcaldwell created an issue. See original summary.

justcaldwell’s picture

justcaldwell
he/him
Primary language English
Location Austin, Texas
commented
Title: Restrict access to /node/add-microcontent route » Add create any micronode access check
justcaldwell’s picture

justcaldwell
he/him
Primary language English
Location Austin, Texas
commented

Maybe don't extend AccessInterface because #2266817: Deprecate empty AccessInterface and remove usages?? Haven't had time to digest that thread yet. Ugh.

justcaldwell opened merge request !5

justcaldwell’s picture

justcaldwell
he/him
Primary language English
Location Austin, Texas
commented
Status: Active » Needs review

Test still needed, but the MR I just opened seems to be working well enough, and it would be good to get feedback.

I went ahead and extended AccessInterface (though it's empty) as that's consistent with current documentation, and it's not clear—to me anyway—what the final resolution of #2266817: Deprecate empty AccessInterface and remove usages will be.

justcaldwell’s picture

justcaldwell
he/him
Primary language English
Location Austin, Texas
commented
Issue summary: View changes
justcaldwell’s picture

justcaldwell
he/him
Primary language English
Location Austin, Texas
commented
Issue summary: View changes
justcaldwell’s picture

justcaldwell
he/him
Primary language English
Location Austin, Texas
commented
Title: Add create any micronode access check » Prevent users who can't add micronode content from accessing /node/add-microcontent

marcoscano made their first commit to this issue’s fork.

marcoscano’s picture

marcoscano
Primary language Portuguese, Brazil
Location Barcelona, Spain
commented
Status: Needs review » Fixed

Makes sense to me. Thanks for contributing!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.