Improve entity_metadata_taxonomy_access to cover existing permissions [#2323619]

Contributor tasks needed
Task	Novice task?	Contributor instructions
Reroll the patch if it no longer applies.		Instructions
Update the issue summary		Instructions
Add automated tests		Instructions
Add steps to reproduce the issue	Novice	Instructions
Review patch to ensure that it fixes the issue, stays within scope, is properly documented, and follows coding standards		Instructions

Comment	File	Size	Author
#17	entity-entity_metadata_taxonomy_access-2323619-17.patch	4.9 KB	a.milkovsky

#10	entity-entity_metadata_taxonomy_access-2323619-10.patch	1.74 KB	lex0r

#6	entity-entity_metadata_taxonomy_access-2323619-6.patch	1.73 KB	Weaver

#4	entity-entity_metadata_taxonomy_access-2323619-4.patch	1.79 KB	Weaver

#1	entity-entity_metadata_taxonomy_access-2323619-1.patch	1.66 KB	Weaver

Comment #1

Weaver CreditAttribution: Weaver commented 18 August 2014 at 22:52

File	Size
entity-entity_metadata_taxonomy_access-2323619-1.patch	1.66 KB

Attached patch expands entity_metadata_taxonomy_access to correctly deal with each $op for entity_type of taxonomy_vocabulary and taxonomy_term.

Let me know whats needed to get this committed.

Log in or register to post comments

Comment #2

Weaver CreditAttribution: Weaver commented 18 August 2014 at 22:51

Issue summary:

View changes

Log in or register to post comments

Comment #3

joachim CreditAttribution: joachim commented 19 August 2014 at 19:11

Status:

Active

» Needs work

Looks like the right approach, but needs cleaning up for coding standards and there are a few code errors too.

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+  if (user_access('administer taxonomy', $account)) return TRUE;

if statements should always have a block, even if a single line.

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        return taxonomy_term_edit_access($entity);

There's a security hole here if $account is set and is not the same as the global $user, as taxonomy_term_edit_access() ALWAYS returns access for the current user.

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+      break;

You don't need to break if you've returned.

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        //Check for taxonomy_access_fix which adds permissions to create new terms in a given vocab

Comments need to be wrapped to 80 chars. Also, they need to end with a full stop and they need a space after the //.

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        if(function_exists('taxonomy_access_fix_access')) {

if takes a space before the ().

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        } else {

elses should not be coddled.

+++ b/modules/callbacks.inc
@@ -795,14 +795,31 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        return user_access("delete terms in $entity->vid");

$account should be passed in to any calls to user_access().

Log in or register to post comments

Comment #4

Weaver CreditAttribution: Weaver commented 19 August 2014 at 20:58

File	Size
entity-entity_metadata_taxonomy_access-2323619-4.patch	1.79 KB

Many thanks for the feedback, patch re-rolled.

Log in or register to post comments

Comment #5

joachim CreditAttribution: joachim commented 19 August 2014 at 22:16

Getting there! Still a few more things to fix:

+++ b/modules/callbacks.inc
@@ -795,14 +795,34 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+  if (user_access('administer taxonomy', $account)) return TRUE;

This still needs to be a block.

Worth adding a comment too, to the effect that this is letting the admin through for everything.

+++ b/modules/callbacks.inc
@@ -795,14 +795,34 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        return user_access("edit terms in $entity->vid", $account) || user_access('administer taxonomy', $account);

You don't need that here; if the account has 'admin taxo' permission, they've already been let in at the very top.

+++ b/modules/callbacks.inc
@@ -795,14 +795,34 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        //Check for taxonomy_access_fix contrib module which adds additional
+        //permissions to create new terms in a given vocabulary.

You still need to add a space after the // here.

+++ b/modules/callbacks.inc
@@ -795,14 +795,34 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        } ¶

Stray whitespace here.

+++ b/modules/callbacks.inc
@@ -795,14 +795,34 @@ function entity_metadata_comment_properties_access($op, $property, $entity = NUL
+        else {
+          return user_access('administer taxonomy', $account);
+        }

Same as earlier -- it's redundant to check that permission here. We know if we get this far, the user doesn't have that permission.

Log in or register to post comments

Comment #6

Weaver CreditAttribution: Weaver commented 20 August 2014 at 08:38

File	Size
entity-entity_metadata_taxonomy_access-2323619-6.patch	1.73 KB

Thanks. Whats next?

Log in or register to post comments

Comment #7

Weaver CreditAttribution: Weaver commented 26 August 2014 at 20:56

Status:

Needs work

» Needs review

Log in or register to post comments

Comment #8

drumm

he/him

NY, US

CreditAttribution: drumm commented 8 October 2014 at 17:27

Issue tags:

+affects drupal.org

This seems to be affecting Drupal.org, as reported at #2344265: Excessive access control on field collection entities.

Log in or register to post comments

Comment #9

drumm

he/him

NY, US

CreditAttribution: drumm commented 8 October 2014 at 17:42

I don't see anything specifically testing this in entity.test. Since this is access-checking code, good test coverage is especially important. I recommend writing tests.

Log in or register to post comments

Comment #10

lex0r CreditAttribution: lex0r commented 13 May 2015 at 13:31

File	Size
entity-entity_metadata_taxonomy_access-2323619-10.patch	1.74 KB

Rerolled for 7.x-1.6

Log in or register to post comments

Comment #11

13 May 2015 at 13:37

Status:

Needs review

» Needs work

The last submitted patch, 10: entity-entity_metadata_taxonomy_access-2323619-10.patch, failed testing.

Log in or register to post comments

Comment #12

YesCT CreditAttribution: YesCT commented 18 May 2015 at 15:34

Log in or register to post comments

Comment #13

YesCT CreditAttribution: YesCT commented 18 May 2015 at 15:38

Version:	7.x-1.5	» 7.x-1.x-dev
Issue summary:	View changes
Issue tags:		+Needs issue summary update, +Needs tests, +Needs reroll

Log in or register to post comments

Comment #14

YesCT CreditAttribution: YesCT commented 18 May 2015 at 15:42

Issue tags:

-Needs reroll

applies cleanly to 7.x-1.x-dev #10 unable to apply must have been that it was not applicable on the version in the meta data of the issue 1.5. I will send it for a retest.

Log in or register to post comments

Comment #15

18 May 2015 at 15:42

Status:

Needs work

» Needs review

YesCT queued 10: entity-entity_metadata_taxonomy_access-2323619-10.patch for re-testing.

Log in or register to post comments

Comment #16

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 18 May 2015 at 16:10

Status:

Needs review

» Needs work

Patch makes sense, please add test coverage.

Log in or register to post comments

Comment #17

a.milkovsky

he/him

UTC +2

CreditAttribution: a.milkovsky as a volunteer commented 12 August 2015 at 09:38

Status:

Needs work

» Needs review

File	Size
entity-entity_metadata_taxonomy_access-2323619-17.patch	4.9 KB

Added test coverage

Log in or register to post comments

Comment #18

omarlopesino

he/him

CreditAttribution: omarlopesino at Metadrop commented 23 February 2016 at 11:40

Patch #17 worked for me.
Thanks!

Log in or register to post comments

Comment #19

fago

German

Vienna

CreditAttribution: fago at drunomics commented 17 March 2016 at 17:02

Title:	Improve entity_metadata_taxonomy_access	» Improve entity_metadata_taxonomy_access to cover existing permissions
Status:	Needs review	» Reviewed & tested by the community
Issue tags:	-Needs tests

I reviewed the patch and it seems fine + tested it on a site.

Log in or register to post comments

Comment #20

17 March 2016 at 17:03

fago committed 1fa8f2d on 7.x-1.x authored by Weaver

Issue #2323619 by Weaver, lex0r, a.milkovsky, fago: Improve...

Log in or register to post comments

Comment #21

fago

German

Vienna

CreditAttribution: fago at drunomics commented 17 March 2016 at 17:03

Status:

Reviewed & tested by the community

» Fixed

Committed, thanks!

Log in or register to post comments

Comment #22

31 March 2016 at 17:04

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Log in or register to post comments

Improve entity_metadata_taxonomy_access to cover existing permissions

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Comment #21

Comment #22

Child issues

Related issues

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community