Problem/Motivation
On the taxonomy overview page are listed two operations for each term : Edit and Delete.
Both operations will be shown even if the current user doesn't have the access permissions for them.
If the user clicks on an operation she doesn't have a permission for, there will be access denied message shown.
Proposed resolution
Before adding the operations check if the current user has an access right to it.
Remaining tasks
Review.
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#13 | 2687775-13.patch | 3.62 KB | hchonov |
#7 | interdiff-4-7.txt | 1.05 KB | hchonov |
#7 | 2687775-7.patch | 3.65 KB | hchonov |
#5 | 2687775-4.patch | 3.6 KB | hchonov |
#2 | 2687775-2.patch | 1.37 KB | hchonov |
Comments
Comment #2
hchonovComment #3
hchonovComment #5
hchonovThe forum overview extends from the terms overview class and needs the same checks as well..
Comment #7
hchonovComment #8
Berdir#2599128: Allow user with edit terms permission to access vocabulary overview also fixes this, beside other things.
Comment #11
tstoecklerAt the very least this needs tests. Not sure about the relationship to #2599128: Allow user with edit terms permission to access vocabulary overview.
Comment #13
hchonovRe-roll only.
Comment #14
joshmillerHEAD is now 8.4.x, yeah?
Also, the re-roll is nice, but doesn't include a test, so still needs work.
Comment #15
BerdirI posted a detailed overview of all related issues that we have around this topic in #1848686-179: Add a dedicated permission to access the term overview page (without 'administer taxonomy' permission) (#179 if the link does not work).
As suggested there, I'm closing this issue as a duplicate of that issue as that also has to solve this problem and it does now so by using the list builder operations API.