Flaggings don't have standard entity permissions - update etc. [#2357057]

I'm trying to use the Editablefields module with a field on a flagging and it doesn't work because Flagging entities don't have standard entity permissions - particularly for the 'update' action. I realise this is because flag permissions are handled separately from the standard permissions system, allowing, e.g., admins to specify that users can flag or not flag their own nodes, but would it be possible to include these standard entity permissions?

Comments

Comment #1

joachim CreditAttribution: joachim commented 15 October 2014 at 13:36

Version:

7.x-3.5

» 7.x-3.x-dev

Does Editablefields use Entity API's entity_access()?

We could probably implement that callback, and interpret the $op that receives in terms of the Flag permissions.

Comment #2

bsarchive CreditAttribution: bsarchive commented 16 October 2014 at 09:39

Yes, it does. The access test looks like this:

if (!entity_access('update', $entity_type, $entity)|| !field_access('edit', $field, $entity_type, $entity)) {
// disallow editable field script
}
// otherwise render the editable field form

This is covered in an issue in the editablefields queue: https://www.drupal.org/node/2103023

Comment #3

joachim CreditAttribution: joachim commented 16 October 2014 at 10:58

Ok, so:

- implement the access callback for the Flagging entity
- in the callback, load the $flag handler for the flagging entity, and use its access method. The translation from $op is probably: create -> flag, delete -> unflag, update -> flag, view -> flag

Comment #4

bsarchive CreditAttribution: bsarchive commented 16 October 2014 at 16:44

Sorry - you've lost me. Could you explain what you mean?

Comment #5

joachim CreditAttribution: joachim commented 16 October 2014 at 20:11

1. Declare the access callback in our hook_entity_info().
2. Implement the callback, say, flagging_entity_access():

flagging_entity_access($op, $entity, $account, $entity_type) {
  // 1. Obtain a $flag handler. For this, you need to look at the flagging, which is the $entity, and figure out what flag it's for. Then based on that, load the flag handler.

  // 2. You need to convert $op into something that works with flag module's permission model. $op is one of: create, update (or is it edit? I forget), view, delete. Whereas for $flag->access(), you only have $action which is only either 'flag' and 'unflag' -- so you need to decide how to convert $op to $action. Hence my quick conversion list in my last comment, which may need further discussion & refinement.

  // 3. I don't remember how $flag->access handles setting the user -- I think it has a param for that?
}