Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
entity_metadata_taxonomy_access (callback for entity_access) is incomplete.
Proposed resolution
Improve entity_metadata_taxonomy_access
Remaining tasks
Task | Novice task? | Contributor instructions | Complete? |
---|---|---|---|
Reroll the patch if it no longer applies. | Instructions | ||
Update the issue summary | Instructions | ||
Add automated tests | Instructions | ||
Add steps to reproduce the issue | Novice | Instructions | |
Review patch to ensure that it fixes the issue, stays within scope, is properly documented, and follows coding standards | Instructions |
User interface changes
No.
Comments
Comment #1
Weaver CreditAttribution: Weaver commentedAttached patch expands entity_metadata_taxonomy_access to correctly deal with each $op for entity_type of taxonomy_vocabulary and taxonomy_term.
Let me know whats needed to get this committed.
Comment #2
Weaver CreditAttribution: Weaver commentedComment #3
joachim CreditAttribution: joachim commentedLooks like the right approach, but needs cleaning up for coding standards and there are a few code errors too.
if statements should always have a block, even if a single line.
There's a security hole here if $account is set and is not the same as the global $user, as taxonomy_term_edit_access() ALWAYS returns access for the current user.
You don't need to break if you've returned.
Comments need to be wrapped to 80 chars. Also, they need to end with a full stop and they need a space after the //.
if takes a space before the ().
elses should not be coddled.
$account should be passed in to any calls to user_access().
Comment #4
Weaver CreditAttribution: Weaver commentedMany thanks for the feedback, patch re-rolled.
Comment #5
joachim CreditAttribution: joachim commentedGetting there! Still a few more things to fix:
This still needs to be a block.
Worth adding a comment too, to the effect that this is letting the admin through for everything.
You don't need that here; if the account has 'admin taxo' permission, they've already been let in at the very top.
You still need to add a space after the // here.
Stray whitespace here.
Same as earlier -- it's redundant to check that permission here. We know if we get this far, the user doesn't have that permission.
Comment #6
Weaver CreditAttribution: Weaver commentedThanks. Whats next?
Comment #7
Weaver CreditAttribution: Weaver commentedComment #8
drummThis seems to be affecting Drupal.org, as reported at #2344265: Excessive access control on field collection entities.
Comment #9
drummI don't see anything specifically testing this in
entity.test
. Since this is access-checking code, good test coverage is especially important. I recommend writing tests.Comment #10
lex0r CreditAttribution: lex0r commentedRerolled for 7.x-1.6
Comment #12
YesCT CreditAttribution: YesCT commentedComment #13
YesCT CreditAttribution: YesCT commentedComment #14
YesCT CreditAttribution: YesCT commentedapplies cleanly to 7.x-1.x-dev #10 unable to apply must have been that it was not applicable on the version in the meta data of the issue 1.5. I will send it for a retest.
Comment #16
klausiPatch makes sense, please add test coverage.
Comment #17
a.milkovskyAdded test coverage
Comment #18
omarlopesinoPatch #17 worked for me.
Thanks!
Comment #19
fagoI reviewed the patch and it seems fine + tested it on a site.
Comment #21
fagoCommitted, thanks!