Currently the entity_metadata_taxonomy_access() access callback does not respect "delete terms in {vid}" and requires users to have "administer taxonomy" in order to have access.

Modules using the entity controllers to validate delete access then fail when expecting this permission to work as expected, like when using Inline Entity Form.

Patch to follow.

CommentFileSizeAuthor
#6 2288483-check-for-delete-permission-6.patch683 bytesmglaman
#3 2288483-check-for-delete-permission-2.patch681 bytesmglaman
#1 2288483-check-for-delete-permission.patch726 bytesmglaman
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mglaman’s picture

mglaman
Primary language English
Location WI, USA
CreditAttribution: mglaman commented
FileSize
2288483-check-for-delete-permission.patch726 bytes

Attached is patch which adds check on "delete" operations and proper permissions.

andyg5000’s picture

andyg5000
he/him
Primary language English
Location North Carolina, USA
CreditAttribution: andyg5000 commented
Status: Active » Needs review
mglaman’s picture

mglaman
Primary language English
Location WI, USA
CreditAttribution: mglaman commented
FileSize
2288483-check-for-delete-permission-2.patch681 bytes

Reroll of patch. Generated through PhpStorm originally, now through Git command line.

Status: Needs review » Needs work

The last submitted patch, 3: 2288483-check-for-delete-permission-2.patch, failed testing.

The last submitted patch, 1: 2288483-check-for-delete-permission.patch, failed testing.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
CreditAttribution: mglaman commented
Status: Needs work » Needs review
FileSize
2288483-check-for-delete-permission-6.patch683 bytes

Update logic in patch so patch stops failing.

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
CreditAttribution: amitaibu commented

i believe it doesn't respect "create" permissions as-well

mglaman’s picture

mglaman
Primary language English
Location WI, USA
CreditAttribution: mglaman commented

Terms rely on "edit" not "create" as the permission. We're using Inline Entity Form to re-work the taxonomy term management for users. We only provision the "edit" permission. We realized they could edit and add correctly, but not delete. This patch is what allows us to provide management of terms to users without giving them complete "administer terms" access.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented

#2323619: Improve entity_metadata_taxonomy_access to cover existing permissions covers delete and has other improvements.

Chris Matthews’s picture

Chris Matthews CreditAttribution: Chris Matthews as a volunteer commented
Status: Needs review » Needs work
Issue tags: +Needs reroll

The 5 year old patch in #6 to callbacks.inc does not apply to the latest entity 7.x-1.x-dev and (if still relevant) needs a reroll.

Checking patch modules/callbacks.inc...
error: while searching for:
  if (isset($entity) && $op == 'update' && !isset($account) && taxonomy_term_edit_access($entity)) {
    return TRUE;
  }
  if (user_access('administer taxonomy', $account) || user_access('access content', $account) && $op == 'view') {
    return TRUE;
  }

error: patch failed: modules/callbacks.inc:801
error: modules/callbacks.inc: patch does not apply