Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Follow up from #2584647: Flagging access system not extensible.
This code in UserFlagType::actionAccess()
assumes that the $flaggable
object will always be available, but the function signature allows for null values.
/**
* {@inheritdoc}
*/
public function actionAccess($action, FlagInterface $flag, AccountInterface $account, EntityInterface $flaggable = NULL) {
$access = parent::actionAccess($action, $flag, $account, $flaggable);
// If the acting upon yourself check for permission.
$is_current_user = $account->id() == $flaggable->id();
Steps to reproduce
- Enable flag module, and add a user entity flag
- Select the 'Display checkbox on entity edit form' option when adding the flag
- Visit
user/1/edit
and note the fatal error
Comment | File | Size | Author |
---|---|---|---|
#10 | interdiff-2802653-7-10.txt | 724 bytes | martin107 |
#10 | 2802653-10.patch | 1.71 KB | martin107 |
Comments
Comment #2
jhedstromI was incorrect. This can be reproduced with just the flag module. I'm bumping to critical since this was introduced by a critical issue, and results in fatal errors. I've updated the IS with steps to reproduce. I'll post a patch shortly.
Comment #3
jhedstromThis fix seems to work in local testing.
Comment #6
BerdirThat's not the same at all, your code assumes that flaggable is always the current user.
The whole thing needs to be wrapped in an if ($flaggable). A check without $flaggable means we can't do flaggable specific checks.
Comment #7
jhedstromThis takes the approach suggested in #6.
Comment #8
BerdirCan we add a test for this? I think just calling getFlags() when a flag on users exist should be enough?
Comment #9
martin107 CreditAttribution: martin107 commentedI will add the test.
Comment #10
martin107 CreditAttribution: martin107 commentedAdded extra two checks to AccessTest::testUserFlag().
Comment #11
jhedstromHa! I love the
noSelfiesFlag
!Comment #12
BerdirWorks for me.
Comment #14
joachim CreditAttribution: joachim commentedCommitted. Thanks everyone!