Expected behavior: Creating a new node and relating a node have different permissions.
Actual behavior: Both use the permissions for relating a node.
The routes for group/{group}/node/create and group/{group}/node/add set a flag called $create_mode to signify which of the two is being done.
However, as the permissions go through the core entity layer, that flag is lost. When GroupContentAccessControlHandler::checkCreateAccess() checks the permission it only calls GroupContentEnablerBase::createAccess() which is appropriate when we're relating/adding existing node but not creating a new one.
GroupContentAccessControlHandler::checkCreateAccess() needs to have an if/else somehow and call createAccess() for /add (relating) or createEntityAccess() for /create
Comment | File | Size | Author |
---|---|---|---|
#22 | 2881769-22.patch | 1.9 KB | kekkis |
| |||
#10 | group-content-create-mode-permission.patch | 1.82 KB | lemming |
#9 | fix-group-create-content-page-perms-check-2972800-4.patch | 3.87 KB | jnicola |
| |||
#7 | 2881769-7.patch | 3.28 KB | bojan_dev |
| |||
#3 | 2881769-3.patch | 1.02 KB | ericras |
|
Comments
Comment #2
ericras CreditAttribution: ericras commentedComment #3
ericras CreditAttribution: ericras at University of Nebraska commentedHere's a patch
Comment #4
ericras CreditAttribution: ericras at University of Nebraska commentedComment #5
ericras CreditAttribution: ericras at University of Nebraska commentedI've been looking at problems with permissions related to Group Menu as well. It looks like checkAccess also needs a checkEntityAccess counterpart like createAccess/createEntityAccess. Currently, checkAccess looks at 'create' permissions which are related to creating relations; 'entity' permissions related to new entity creation are nowhere to be found.
So if a user has permission to edit the Group Menu entities but not the relations, they don't have proper abilities.
Comment #6
ericras CreditAttribution: ericras at University of Nebraska commentedComment #7
bojan_dev CreditAttribution: bojan_dev commentedI was getting an notice (Undefined index: create_mode), on the membership group content. Also I have added the EntityHandlerInterface, so dependency injection would be available.
Comment #8
idebr CreditAttribution: idebr at iO commentedClosed #2972800: Incorrectly entities permission checks on group/{group}/node/create ??? as a duplicate.
Comment #9
jnicola CreditAttribution: jnicola at Oregon Health & Science University (OHSU) commentedBringing my patch over from the duplicate.
Reviewing what's here versus what I wrote, I think what I wrote is probably the correct approach. That said, I'll let you all review and decide for yourselves.
Instead of having an if in checkCreateAccess, I adjust the check for just this page with a new method that is called. No route matching or any other jank such as that.
Comment #10
lemming CreditAttribution: lemming commentedAdding the "create_mode" parameter to the GroupContentAccessControlHandler::checkCreateAccess() makes the most sense to me. This allows the checkCreateAccess() function in other contexts, other than ones where the route specifically manages this argument.
The access handler also calls the GroupContentEnablerInterface::definesEntityAccess() function to check if this group content plugin supports the separate set of group access for entity creation operations.
Comment #11
lemming CreditAttribution: lemming commentedComment #14
Amazee CreditAttribution: Amazee commentedComment #15
fskreuz CreditAttribution: fskreuz at Portland Webworks commentedPatch #10 worked for me. Tested on a bare install of 8.7.1 against gnode as well as a custom entity plugin.
Comment #16
Feng-Shui CreditAttribution: Feng-Shui commentedPatch #10 worked for me re gnode on 8.8.0-rc1.
Comment #17
LOBsTerr CreditAttribution: LOBsTerr at European Commission and European Union Institutions, Agencies and Bodies commentedHey, I was trying to test in order to write the tests for this case, but I was able to reproduce it.
I have content type 'fff'. If I give permission "create group_node:fff content" for a member role, I can access group/[GID]/content/create/group_node%3Afff, but I can't access group/[GID]/content/add/group_node%3Afff.
And if I give permission "create group_node:fff entity" I can't access group/[GID]/content/add/group_node%3Afff, but I can access group/[GID]/content/create/group_node%3Afff.
So, it works as expected or I missing something?
Comment #18
jnicola CreditAttribution: jnicola at Oregon Health & Science University (OHSU) commentedI think you got your can and can't mixed up in there... since all you have are can't statements?
Comment #19
LOBsTerr CreditAttribution: LOBsTerr at European Commission and European Union Institutions, Agencies and Bodies commented@jnicola, my bad :( I have edited the comment. Briefly, I tried to debug it for me it works as expected. Could you tell what is your case? I have checked all comments above , the latest patches and also your post.
Comment #20
alternativo CreditAttribution: alternativo as a volunteer commentedHi, I put patch#10 but I cannot see changes in permission to add existing node or create new one.
What I need is to have only the permission for members to create new nodes, and not to add relationship to existing nodes..
Is that possible?
I thought it was 'Relationship: Add entity relation' that 'Allows you to add an existing contenuto entity to the group.'...it is unchecked, but members can still add existing node ...
Thanks in advance
:)
Comment #21
idebr CreditAttribution: idebr at iO commentedThere is an issue describing the same symptoms in #2842630: Empty page when trying to create group node.
Comment #22
kekkisRerolled patch against 8.x-1.x - the one in #10 applies cleanly to 8.x-1.0-rc5 but won't apply to the 8.x-1.x branch.
Comment #23
gnugetI reviewed and tested this patch and looks good to me.
Thanks @kekkis!
Comment #24
Dubs CreditAttribution: Dubs commentedThis patch works for me too - please can this be merged in?
Comment #25
SocialNicheGuru CreditAttribution: SocialNicheGuru commenteddeleted comment. meant for another issue.