Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The "Add new node" button appears even though the user does not have the permission to create nodes of the content type being referenced. Also, a user is able to create a node and the node saves. Expected behavior is that there should be no button if they don't have the ability to create a node of that content type.
Comment | File | Size | Author |
---|---|---|---|
#17 | ief-create_access-2672022-17.patch | 16.43 KB | tedbow |
| |||
#16 | ief-create_access-2672022-16.patch | 16.3 KB | tedbow |
| |||
#12 | ief-create_access-2672022-12-TEST_ONLY.patch | 8.39 KB | tedbow |
#12 | ief-create_access-2672022-12.patch | 15.94 KB | tedbow |
| |||
#9 | ief-create_access-2672022-9.patch | 13.36 KB | tedbow |
|
Comments
Comment #2
bojanz CreditAttribution: bojanz at Centarro commentedConfirmed, we're no longer doing any kind of access checking around bundles (D7 checked create access on each bundle).
EDIT: To clarify, this is not intentional, we are simply missing access checking code, and we should add it.
Comment #3
tedbowOk here is a patch.
It adds to new InlineEntityFormBase::getCreateBundles to return the bundles the current user can create.
This is used in InlineEntityFormComplex::formElement to determine if add should be shown
It also overrides canBuildForm in each widget class to determine if there are any entity operations that can be done.
Since the simple widget can only add 1 bundle then the user must have access to that.
I think tests will fail because we don't setup the tests with permission for the nested bundles
Comment #5
tedbowOk here is the patch updated with tests and a TEST ONLY patch.
Comment #7
bojanz CreditAttribution: bojanz at Centarro commentedVery close!
This is very unreadable, let's clean it up. The result of the parent:: call should be its own variable, and we should not have two rows of boolean checks paired with a return statement.
Comment #8
tedbowClose but no cigar!
I just figured out I am taking away access to the widget based on create access but widget may actually be editing a node.
Working on this now.
Comment #9
tedbowOK. I don't think my previous approach of checking access in InlineEntityFormBase::canBuildForm
This is because the use might be editing existing entities which they might have access to.
Also the user may not have access add or editing the existing entities but they should still be able reorder reference values if they already exist on the field or also they should be able add existing entities if the widget supports it.
Comment #10
tedbowNotes about the previous patch.
This function is overridden to take away the remove both "add more" button and empty "add" forms.
In the simple widget if the user does not have access to edit a specific entity we should still should the label of the entity.
This allows the user to still reorder the entities when they don't have access to edit all the entities.
Comment #11
tedbowUpdating the title because this patch also deals with the fact that simple widget does not check edit access on entities.
Without the patch in #9 a user could edit entities they don't have access to.
I will make a Test for this edit access problem.
Comment #12
tedbowAdding a test for access edit on the simple widget.
Basically for all nodes created in InlineEntityFormSimpleWebTest::testSimpleCardinalityOptions
The tests switches the owner of 1 of the child nodes to another user.
Then checks
Comment #14
tedbowOnly TEST_ONLY patch failed.
Comment #15
bojanz CreditAttribution: bojanz at Centarro commentedAlmost there.
This method doesn't belong in the base class, it's specific to the Simple widget, so let's move it there.
Nitpicks:
Missing word.
Unneeded newline before $user.
Comment #16
tedbowUpdate patch with changes asked for in #15
Comment #17
tedbowUpdate patch with 1 more comment
Because I don't think it is obvious why getInlineEntityForm is still being called.
Comment #19
bojanz CreditAttribution: bojanz at Centarro commentedBoom :)