While working with the services and uuid_services (uuid) modules, I was trying to PUT a new comment as an anonymous user and kept getting "403 Access denied for user anonymous". Anonymous users on my test site have the following comment permissions:

  • access comments
  • post comments
  • skip comment approval

uuid/uuid_services/uuid_services.module > _uuid_services_entity_access($op, $args) ends up calling entity/modules/callback.inc > entity_metadata_comment_access($op, $entity = NULL, $account = NULL) and passing 'create' as the $op.

Without the "administer comments" permission, an anonymous user would never be allowed to create a comment even if they have the "post comments" permission since the "create" op is not handled.

CommentFileSizeAuthor
#6 comment_access_check-2236229-6.patch918 bytesedaa
#6 interdiff-6.txt501 bytesedaa
#1 add_create_op_to_metadata_comment_access-2236229-1.patch449 bytesdkingofpa
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dkingofpa’s picture

dkingofpa CreditAttribution: dkingofpa commented
FileSize
add_create_op_to_metadata_comment_access-2236229-1.patch449 bytes

Here's a patch that adds "create" op support to entity_metadata_comment_access rolled from 7.x-1.x. Very simple patch, it should apply to 7.x-1.5 as well.

dkingofpa’s picture

dkingofpa CreditAttribution: dkingofpa commented
Status: Active » Needs review
frankkessler’s picture

frankkessler CreditAttribution: frankkessler commented
Status: Needs review » Reviewed & tested by the community

Patch verified on 7.x-1.6. It's impossible to post comments using the uuid_services and services modules without this patch unless you give the authenticated user administrator rights over comments.

mpotter’s picture

mpotter CreditAttribution: mpotter commented

OK, this one really is a no-brainer. Sad that it was done 2 years ago and didn't get a good review.

I ran into this using the Paragraphs module to add paragraph entities to comments. It checks the parent comment permissions, so passes "create" to entity_access when adding paragraphs to a new comment.

This really should get committed.

edaa’s picture

edaa CreditAttribution: edaa commented

+1 for this, currently comments can't be created through RESTful API.

edaa’s picture

edaa CreditAttribution: edaa commented
FileSize
interdiff-6.txt501 bytes
comment_access_check-2236229-6.patch918 bytes

Take into account attempting to update a newly created comment.

edaa’s picture

edaa CreditAttribution: edaa commented
garphy’s picture

garphy CreditAttribution: garphy at ICI LA LUNE commented

Really need for any serious headless Drupal operating mode (RESTful or Services API)
+1 for committing this.

Moxide’s picture

Moxide CreditAttribution: Moxide commented

Just to bump this one...
Mandatory patch to make restful comments work !

Why is it still not commited ?

fago’s picture

fago
Primary language German
Location Vienna
CreditAttribution: fago at drunomics commented
Status: Reviewed & tested by the community » Needs work 
+++ b/modules/callbacks.inc
@@ -769,6 +769,11 @@ function entity_metadata_comment_access($op, $entity = NULL, $account = NULL) {
+  if ($op == 'update' && !empty($entity->is_new)) {
+    $op = 'create';

I don't think it's the job of the entity API to correct the callers $op.

+++ b/modules/callbacks.inc
@@ -782,6 +787,9 @@ function entity_metadata_comment_access($op, $entity = NULL, $account = NULL) {
+  if (user_access('post comments', $account) && $op == 'create') {
+    return TRUE;

Hm, does that relate to skip comment approval? I guess we have to make sure this permission is covered also somehow, e.g. via property access?

D34dMan’s picture

D34dMan CreditAttribution: D34dMan commented

Patch in #1 solves the issue.

efpapado’s picture

efpapado CreditAttribution: efpapado at Ramsalt Lab commented

I share the concerns of #10 (first part), but I agree that #6 fixes the problem, even if it is done wrong(ish)ly.
The comment approval permission (#10 second part) doesn't seem to be skipped.