Problem/Motivation

Whenever there is an Entity Reference field within a Field Collection field, users will randomly recieve a 403 error in a javascript alert window when using Entity Reference's autocomplete. I do not have reliable steps to reproduce this problem. It may be an issue that only occurs when there are multiple users editing at the same time.

In field_collection_item_access() we have this:

if (user_access('administer field collections', $account)) {
  return TRUE;
}
if (!isset($item)) {
  return FALSE;
}

This shows why this fails and why the work around works. It fails because Entity reference is attempting to call access on a non-existent collection, but the workaround works because we are granting access before the user hits this.

In the end, it doesn't make a huge difference as the host entity is going to be modified by two different users at the same time, and you get this error when you try and save a node:

The content on this page has either been modified by another user, or you have already submitted modifications using this form. As a result, your changes cannot be saved.

Steps to reproduce

  1. Create a content type with a field collection (multiple values) and an entity reference field (single value) inside of that colleciton
  2. Ensure that you do not have access to administer field collections
  3. Create a piece of content with multiple field collection values and ensure that each collection references a piece of content
  4. Save the content
  5. Open the "Edit" page of this node in two tabs (same edit page twice)
  6. In one of the tabs, remove one of the field collections and Save the content.
  7. Now go to the other tab, try and reference a different piece of content in the same collection you removed in the first tab. You should get the 403 error popup.

Work around

Giving all users the administer field collections permission resolves the issue, but obviously gives way too much permission to users.

Proposed resolution

Change

if (!isset($item)) {
  return FALSE;
}

to

if (!isset($item)) {
  return TRUE;
}

Alternatively, #2612750: Create a better error message when a 403 is returned.

Remaining tasks

  1. Write patch

User interface changes

None.

API changes

None.

Data model changes

None.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

davidwbarratt created an issue. See original summary.

davidwbarratt’s picture

davidwbarratt’s picture

Issue summary: View changes
davidwbarratt’s picture

Issue summary: View changes
davidwbarratt’s picture

Issue summary: View changes
davidwbarratt’s picture

Issue summary: View changes
ccjjmartin’s picture

Status: Active » Needs review
FileSize
866 bytes

I just hit a similar error related to the user not having the "administer field collections" permission. I am uploading a patch that I believe fixes the issue of giving users too much permission while giving them the ability to "edit" field collections (specifically using entity reference fields). The patch creates a new level of permission called "Edit field collections" which on the site I am working on gives the users (editors) the ability to edit but doesn't give them access to edit the field collections administration page (that they could use to delete fields from field collections).

BBC’s picture

Seems that I've tripped over this one as well. Patch #7 worked well for me. Thanks ccjjmartin!

  • ram4nd committed 90ecafe on 7.x-1.x authored by ccjjmartin
    Issue #2611938 by ccjjmartin: Entity Reference inside of a Field...
ram4nd’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.