Two related bugs:

  1. The menu callback for creating a changeset uses the wrong permission check; it assumes you need "administer changesets" permission to create changesets, but that's actually just the default behavior. It should check the full entity access system instead.
  2. The link for adding a changeset does not do a permission check before being displayed, so sometimes it can be displayed to users who won't have access if they click on it.
CommentFileSizeAuthor
#1 cps-add-access-2456115-1.patch1020 bytesDavid_Rothstein
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein at Tag1 Consulting commented
Status: Active » Needs review
FileSize
cps-add-access-2456115-1.patch1020 bytes

Here is a patch.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Status: Closed (fixed) » Needs work

The last submitted patch, 1: cps-add-access-2456115-1.patch, failed testing.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Status: Needs work » Closed (fixed)

Testbot weirdness.