IEF field widget do not check for entity create and edit access

Confirmed, we're no longer doing any kind of access checking around bundles (D7 checked create access on each bundle).

EDIT: To clarify, this is not intentional, we are simply missing access checking code, and we should add it.

Ok here is a patch.

It adds to new InlineEntityFormBase::getCreateBundles to return the bundles the current user can create.

This is used in InlineEntityFormComplex::formElement to determine if add should be shown

It also overrides canBuildForm in each widget class to determine if there are any entity operations that can be done.

Since the simple widget can only add 1 bundle then the user must have access to that.

I think tests will fail because we don't setup the tests with permission for the nested bundles

Ok here is the patch updated with tests and a TEST ONLY patch.

Very close!

+  protected function canBuildForm(FormStateInterface $form_state) {
+    if (parent::canBuildForm($form_state)) {
+      $settings = $this->getSettings();
+      // Return true if the user can create at least 1 bundle
+      // or adding existing entities is allowed.
+      return ($settings['allow_new'] && $this->getCreateBundles())
+        || $settings['allow_existing'];
+    }
+    return FALSE;
+  }
+

This is very unreadable, let's clean it up. The result of the parent:: call should be its own variable, and we should not have two rows of boolean checks paired with a return statement.

Close but no cigar!

I just figured out I am taking away access to the widget based on create access but widget may actually be editing a node.

Working on this now.

OK. I don't think my previous approach of checking access in InlineEntityFormBase::canBuildForm

This is because the use might be editing existing entities which they might have access to.

Also the user may not have access add or editing the existing entities but they should still be able reorder reference values if they already exist on the field or also they should be able add existing entities if the widget supports it.

Notes about the previous patch.

1. +++ b/src/Plugin/Field/FieldWidget/InlineEntityFormBase.php
   @@ -410,4 +432,57 @@ abstract class InlineEntityFormBase extends WidgetBase implements ContainerFacto
   +  protected function formMultipleElements(FieldItemListInterface $items, array &$form, FormStateInterface $form_state) {
   +    $element = parent::formMultipleElements($items, $form, $form_state);
   +    if (!$this->canAddNew()) {
   +      if (isset($element['add_more'])) {
   +        // Remove "add more" because the user cannot create any new entities.
   +        unset($element['add_more']);
   +      }
   +      // If the current user cannot add new entities remove "add" forms.
   +      foreach (Element::children($element) as $delta) {
   +        if (isset($element[$delta]['inline_entity_form'])) {
   +          if ($element[$delta]['inline_entity_form']['#op'] == 'add') {
   +            unset($element[$delta]);
   +          }
   +        }
   +      }
   +    }
   +    return $element;
   +  }
   +
   

   This function is overridden to take away the remove both "add more" button and empty "add" forms.

2. +++ b/src/Plugin/Field/FieldWidget/InlineEntityFormSimple.php
   @@ -51,6 +51,16 @@ class InlineEntityFormSimple extends InlineEntityFormBase {
   +    if ($op == 'edit') {
   +      /** @var \Drupal\Core\Entity\ContentEntityInterface $entity */
   +      if (!$entity->access('update')) {
   +        $element['entity_label'] = [
   +          '#type' => 'markup',
   +          '#markup' => $entity->label(),
   +        ];
   +        $element['inline_entity_form']['#access'] = FALSE;
   +      }
   +    }
   

   In the simple widget if the user does not have access to edit a specific entity we should still should the label of the entity.

   This allows the user to still reorder the entities when they don't have access to edit all the entities.

Updating the title because this patch also deals with the fact that simple widget does not check edit access on entities.

Without the patch in #9 a user could edit entities they don't have access to.

I will make a Test for this edit access problem.

Adding a test for access edit on the simple widget.

Basically for all nodes created in InlineEntityFormSimpleWebTest::testSimpleCardinalityOptions

The tests switches the owner of 1 of the child nodes to another user.

Then checks

1. For the node owned by the other user the title appears but the form does not.
2. For the nodes owned by the current user the form elements are found

Only TEST_ONLY patch failed.

Almost there.

+  /**
+   * {@inheritdoc}
+   */
+  protected function formMultipleElements(FieldItemListInterface $items, array &$form, FormStateInterface $form_state) {
+    $element = parent::formMultipleElements($items, $form, $form_state);
+    if (!$this->canAddNew()) {
+      if (isset($element['add_more'])) {

This method doesn't belong in the base class, it's specific to the Simple widget, so let's move it there.

Nitpicks:

+      // Check to make target bundles still exist.

Missing word.

+  public function testComplexEntityCreate() {
+
+    $user = $this->createUser([

Unneeded newline before $user.

Update patch with changes asked for in #15

Update patch with 1 more comment

// Take away access to inline form.
        // getInlineEntityForm still needs to be called for field re-ordering to work.
        $element['inline_entity_form']['#access'] = FALSE;

Because I don't think it is obvious why getInlineEntityForm is still being called.

Boom :)