Problem/Motivation
Whenever there is an Entity Reference field within a Field Collection field, users will randomly recieve a 403 error in a javascript alert window when using Entity Reference's autocomplete. I do not have reliable steps to reproduce this problem. It may be an issue that only occurs when there are multiple users editing at the same time.
In field_collection_item_access() we have this:
if (user_access('administer field collections', $account)) {
return TRUE;
}
if (!isset($item)) {
return FALSE;
}
This shows why this fails and why the work around works. It fails because Entity reference is attempting to call access on a non-existent collection, but the workaround works because we are granting access before the user hits this.
In the end, it doesn't make a huge difference as the host entity is going to be modified by two different users at the same time, and you get this error when you try and save a node:
The content on this page has either been modified by another user, or you have already submitted modifications using this form. As a result, your changes cannot be saved.
Steps to reproduce
- Create a content type with a field collection (multiple values) and an entity reference field (single value) inside of that colleciton
- Ensure that you do not have access to
administer field collections
- Create a piece of content with multiple field collection values and ensure that each collection references a piece of content
- Save the content
- Open the "Edit" page of this node in two tabs (same edit page twice)
- In one of the tabs, remove one of the field collections and Save the content.
- Now go to the other tab, try and reference a different piece of content in the same collection you removed in the first tab. You should get the 403 error popup.
Work around
Giving all users the administer field collections
permission resolves the issue, but obviously gives way too much permission to users.
Proposed resolution
Change
if (!isset($item)) {
return FALSE;
}
to
if (!isset($item)) {
return TRUE;
}
Alternatively, #2612750: Create a better error message when a 403 is returned.
Remaining tasks
- Write patch
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#7 | field-collection-permissions-2611938-7-D7.patch | 866 bytes | ccjjmartin |
|
Comments
Comment #2
davidwbarratt CreditAttribution: davidwbarratt at Golf Channel commentedComment #3
davidwbarratt CreditAttribution: davidwbarratt at Golf Channel commentedComment #4
davidwbarratt CreditAttribution: davidwbarratt at Golf Channel commentedComment #5
davidwbarratt CreditAttribution: davidwbarratt at Golf Channel commentedComment #6
davidwbarratt CreditAttribution: davidwbarratt at Golf Channel commentedComment #7
ccjjmartin CreditAttribution: ccjjmartin at Four Kitchens commentedI just hit a similar error related to the user not having the "administer field collections" permission. I am uploading a patch that I believe fixes the issue of giving users too much permission while giving them the ability to "edit" field collections (specifically using entity reference fields). The patch creates a new level of permission called "Edit field collections" which on the site I am working on gives the users (editors) the ability to edit but doesn't give them access to edit the field collections administration page (that they could use to delete fields from field collections).
Comment #8
BBCSeems that I've tripped over this one as well. Patch #7 worked well for me. Thanks ccjjmartin!
Comment #10
ram4nd CreditAttribution: ram4nd as a volunteer commented