Is it possible to ignore the edit permission check when a field value hasn't been changed? Take for instance if you're using the REST api. You have permission to view a field, but not edit it.

1. You request /user/1?_format=json and get a JSON representation of the user, with your field field_viewable in the response.
2. You make changes to the user, but DO NOT make any changes to field_viewable.
3. You POST the resulting JSON to update the user.
4. You receive a Access denied on updating field_viewable. error, even though you have not changed the field value.

This is a common use case for REST services, where you read data, update a value, then submit it for an update. I'm not sure how difficult supporting a feature like this would be. Any insight?

Comments

EAnushan created an issue. See original summary.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented

Hmm, I'd suspect a bug in core's REST implementation for entities if it is trying to update/set a field that isn't POSTed...

EAnushan’s picture

EAnushan CreditAttribution: EAnushan commented
Status: Active » Closed (duplicate)

You're right, see https://www.drupal.org/node/2821077

Closing this issue in favor of the above core issue.