Problem/Motivation

The module just hides a form button, but the actual access to the "preview route" isn't changed.

This is probably mitigated by the fact that the preview route involves a uuid, but there's an actual access handler for this specific operation, so we should probably be altering it.

CommentFileSizeAuthor
#2 3383501-access-check.patch2.77 KBgcb

Issue fork node_preview_permissions-3383501

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

  • 1.x Comparecompare
About issue forks

Comments

gcb created an issue. See original summary.

gcb’s picture

gcb
he/him
Location Portland, OR
commented
Status: Active » Needs review
StatusFileSize
new 3383501-access-check.patch2.77 KB

  • 04dc88b7 committed on 1.x 
    Issue #3383501 by gcb: Block actual preview route access
bobooon’s picture

bobooon commented
Assigned: Unassigned » bobooon
Status: Needs review » Fixed

Good callout! I went a different route with the implementation, however. Instead of overriding the existing access_check.node.preview service the module provides it's own access_check.node.preview_permissions service. Drupal registers every access check provider using the applies_to property. If either the access_check.node.preview or access_check.node.preview_permissions access checker returns forbidden the preview route responds with access denied. Furthermore, the new service is used to set the preview button element access.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.