Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently the entity_metadata_taxonomy_access() access callback does not respect "delete terms in {vid}" and requires users to have "administer taxonomy" in order to have access.
Modules using the entity controllers to validate delete access then fail when expecting this permission to work as expected, like when using Inline Entity Form.
Patch to follow.
Comment | File | Size | Author |
---|---|---|---|
#6 | 2288483-check-for-delete-permission-6.patch | 683 bytes | mglaman |
Comments
Comment #1
mglamanAttached is patch which adds check on "delete" operations and proper permissions.
Comment #2
andyg5000Comment #3
mglamanReroll of patch. Generated through PhpStorm originally, now through Git command line.
Comment #6
mglamanUpdate logic in patch so patch stops failing.
Comment #7
amitaibui believe it doesn't respect "create" permissions as-well
Comment #8
mglamanTerms rely on "edit" not "create" as the permission. We're using Inline Entity Form to re-work the taxonomy term management for users. We only provision the "edit" permission. We realized they could edit and add correctly, but not delete. This patch is what allows us to provide management of terms to users without giving them complete "administer terms" access.
Comment #9
drumm#2323619: Improve entity_metadata_taxonomy_access to cover existing permissions covers delete and has other improvements.
Comment #10
Chris Matthews CreditAttribution: Chris Matthews as a volunteer commentedThe 5 year old patch in #6 to callbacks.inc does not apply to the latest entity 7.x-1.x-dev and (if still relevant) needs a reroll.