Hello,

I have a View of Ubercart products with VBO. The only Bulk Operation I have enabled is "Add to cart". When User 1 checks the check boxes next to one or more products and clicks the execute button, it successfully adds those products to the cart. However, when an anonymous or authenticated user tries to perform the same action, they experience this error message: "Skipped Add Selected Products to Cart on node [Product Name] due to insufficient permissions."

I checked the permissions, and I do have "Execute Add to cart" enabled under "Actions permissions (VBO)". Can someone please point me in the right direction on how I can grant this permission to all site users?

Thanks!

Comments

hockey2112 created an issue. See original summary.

hockey2112’s picture

hockey2112 CreditAttribution: hockey2112 commented
Issue summary: View changes
hockey2112’s picture

hockey2112 CreditAttribution: hockey2112 commented
Priority: Normal » Major

I downgraded to VBO 7.x-3.2, and the issue is no longer occurring. So something in the upgrade to 7.x-3.3 is causing this issue. I am not knowledgeable enough to figure out what that cause is, though.

mautumn’s picture

mautumn CreditAttribution: mautumn commented

Thanks hockey2112! I was trying to achieve a similarly non-node-changing action - printing a list of nodes in my usecase - which shouldn't require any special node permissions - and, having tried many things, I gave the downgrade to VBO 7.x-3.2 a try and it works for me also.

hockey2112’s picture

hockey2112 CreditAttribution: hockey2112 commented
Priority: Major » Critical

Great! Hopefully we can get a bug fix for this issue in the next release.

drupal-n3rd’s picture

drupal-n3rd CreditAttribution: drupal-n3rd commented

Same here, subscribing. Downgrading to 3.2 seems to resolve the issue.

Robert_W’s picture

Robert_W CreditAttribution: Robert_W commented

Problem for me as well, especially in combination with Organic Groups. Group administrators cannot modify user roles anymore.

johnennew’s picture

johnennew CreditAttribution: johnennew at Deeson commented

For organic groups, VBO seems to be checking that the user performing the operation not only has the VBO permission for Modify Membership Status but also has update permission on the og_membership entity. I cannot find a permission which grants this!

johnennew’s picture

johnennew CreditAttribution: johnennew at Deeson commented

Actually I have found the permission - its "Administer Organic groups permissions" which grants global permission to all of organic groups. Not sure who's issue this is anymore!

Anyway, this undoes this without having to grant a high level global permission but is probably entirely the wrong way to approach this...

/**
 * Implements hook_action_info_alter().
 */
function mymodule_action_info_alter(&$entity_info) {
  $entity_info['og_membership_delete_action']['behavior'] = array(FALSE);
  $entity_info['og_set_state_action']['behavior'] = array(FALSE);
}
johnennew’s picture

johnennew CreditAttribution: johnennew at Deeson commented

I think this is a ViewsBulkOperationsAction class issue.

getAccessMask() - "behaviour" is a new key which has been added

    // Assume edit by default.
    if (empty($this->operationInfo['behavior'])) {
      $this->operationInfo['behavior'] = array('changes_property');
    }

This makes the assumptions about every action on the system so in the case of nodes, it's assuming adding a role is "editing", in the case of Organic Group membership it is assuming you need to have the ability to edit the membership - but we only have the ability to set the membership status.

By throwing a false behaviour in as described in #9 we circumvent this permission check.

johnennew’s picture

johnennew CreditAttribution: johnennew at Deeson commented

Update on #9, I also needed to allow admins to be able to set roles.

/**
 * Implements hook_action_info_alter().
 */
function mymodule_action_info_alter(&$entity_info) {
  $entity_info['og_membership_delete_action']['behavior'] = array(FALSE);
  $entity_info['og_set_state_action']['behavior'] = array(FALSE);
  $entity_info['og_user_roles_action']['behavior'] = array(FALSE);
}
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet at The University of British Columbia commented
Status: Active » Closed (duplicate)

Please review this issue as it's the original issue and has some good suggestions for a way forward.
#2254871: Default action behaviors in getAccessMask()