group/{group}/node/create uses the permissions of group/{group}/node/add [#2881769]

Expected behavior: Creating a new node and relating a node have different permissions.
Actual behavior: Both use the permissions for relating a node.

The routes for group/{group}/node/create and group/{group}/node/add set a flag called $create_mode to signify which of the two is being done.

However, as the permissions go through the core entity layer, that flag is lost. When GroupContentAccessControlHandler::checkCreateAccess() checks the permission it only calls GroupContentEnablerBase::createAccess() which is appropriate when we're relating/adding existing node but not creating a new one.

GroupContentAccessControlHandler::checkCreateAccess() needs to have an if/else somehow and call createAccess() for /add (relating) or createEntityAccess() for /create

Comment	File	Size	Author
#22	2881769-22.patch	1.9 KB	kekkis
#22	8.x-1.x: PHP 7.2 & MySQL 5.7, D8.9 5,083 pass
#10	group-content-create-mode-permission.patch	1.82 KB	lemming
#10	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.7 Build Successful
#10	group-content-create-mode-permission.patch	1.82 KB	lemming
#10	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.7 74 pass PHP 5.5 & MySQL 5.5, D8.6 68 pass, 2 fail PHP 7 & MySQL 5.5, D8.7 74 pass
#9	fix-group-create-content-page-perms-check-2972800-4.patch	3.87 KB	jnicola
#9	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.6 69 pass
#7	2881769-7.patch	3.28 KB	bojan_dev
#7	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.5 61 pass
#3	2881769-3.patch	1.02 KB	ericras
#3	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.4 51 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

26 May 2017 at 20:54

ericras created an issue. See original summary.

Comment #2

ericras CreditAttribution: ericras commented 26 May 2017 at 20:57

Issue summary:

View changes

Comment #3

ericras CreditAttribution: ericras at University of Nebraska commented 26 May 2017 at 21:31

File	Size
2881769-3.patch	1.02 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.4 51 pass

Here's a patch

Comment #4

ericras CreditAttribution: ericras at University of Nebraska commented 26 May 2017 at 21:32

Status:

Active

» Needs review

Comment #5

ericras CreditAttribution: ericras at University of Nebraska commented 26 May 2017 at 23:34

I've been looking at problems with permissions related to Group Menu as well. It looks like checkAccess also needs a checkEntityAccess counterpart like createAccess/createEntityAccess. Currently, checkAccess looks at 'create' permissions which are related to creating relations; 'entity' permissions related to new entity creation are nowhere to be found.

So if a user has permission to edit the Group Menu entities but not the relations, they don't have proper abilities.

Comment #6

ericras CreditAttribution: ericras at University of Nebraska commented 26 May 2017 at 23:35

Title:

group/{group}/node/create use's the permissions of group/{group}/node/add

» group/{group}/node/create uses the permissions of group/{group}/node/add

Comment #7

bojan_dev CreditAttribution: bojan_dev commented 24 October 2017 at 13:06

File	Size
2881769-7.patch	3.28 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.5 61 pass

I was getting an notice (Undefined index: create_mode), on the membership group content. Also I have added the EntityHandlerInterface, so dependency injection would be available.

Comment #8

idebr CreditAttribution: idebr at iO commented 30 May 2018 at 12:57

Closed #2972800: Incorrectly entities permission checks on group/{group}/node/create ??? as a duplicate.

Comment #9

jnicola CreditAttribution: jnicola at Oregon Health & Science University (OHSU) commented 31 May 2018 at 17:42

File	Size
fix-group-create-content-page-perms-check-2972800-4.patch	3.87 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.6 69 pass

Bringing my patch over from the duplicate.

Reviewing what's here versus what I wrote, I think what I wrote is probably the correct approach. That said, I'll let you all review and decide for yourselves.

Instead of having an if in checkCreateAccess, I adjust the check for just this page with a new method that is called. No route matching or any other jank such as that.

Comment #10

lemming CreditAttribution: lemming commented 18 July 2018 at 19:19

File	Size
group-content-create-mode-permission.patch	1.82 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.7 74 pass PHP 5.5 & MySQL 5.5, D8.6 68 pass, 2 fail PHP 7 & MySQL 5.5, D8.7 74 pass
group-content-create-mode-permission.patch	1.82 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.7 Build Successful

Adding the "create_mode" parameter to the GroupContentAccessControlHandler::checkCreateAccess() makes the most sense to me. This allows the checkCreateAccess() function in other contexts, other than ones where the route specifically manages this argument.

The access handler also calls the GroupContentEnablerInterface::definesEntityAccess() function to check if this group content plugin supports the separate set of group access for entity creation operations.

Comment #11

lemming CreditAttribution: lemming commented 18 July 2018 at 19:20

1 file was hidden/shown/deleted

File	Size
group-content-create-mode-permission.patch	1.82 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.7 Build Successful

Comment #12

19 July 2018 at 00:16

The last submitted patch, 10: group-content-create-mode-permission.patch, failed testing. View results

Comment #13

19 July 2018 at 00:16

Status:

Needs review

» Needs work

The last submitted patch, 10: group-content-create-mode-permission.patch, failed testing. View results

Comment #14

Amazee CreditAttribution: Amazee commented 11 September 2018 at 10:12

Status:

Needs work

» Needs review

Comment #15

fskreuz CreditAttribution: fskreuz at Portland Webworks commented 16 May 2019 at 19:30

Patch #10 worked for me. Tested on a bare install of 8.7.1 against gnode as well as a custom entity plugin.

Comment #16

Feng-Shui CreditAttribution: Feng-Shui commented 26 November 2019 at 05:07

Patch #10 worked for me re gnode on 8.8.0-rc1.

Comment #17

LOBsTerr CreditAttribution: LOBsTerr at European Commission and European Union Institutions, Agencies and Bodies commented 23 December 2019 at 08:39

Hey, I was trying to test in order to write the tests for this case, but I was able to reproduce it.
I have content type 'fff'. If I give permission "create group_node:fff content" for a member role, I can access group/[GID]/content/create/group_node%3Afff, but I can't access group/[GID]/content/add/group_node%3Afff.

And if I give permission "create group_node:fff entity" I can't access group/[GID]/content/add/group_node%3Afff, but I can access group/[GID]/content/create/group_node%3Afff.

So, it works as expected or I missing something?

Comment #18

jnicola CreditAttribution: jnicola at Oregon Health & Science University (OHSU) commented 20 December 2019 at 21:40

I think you got your can and can't mixed up in there... since all you have are can't statements?

Comment #19

LOBsTerr CreditAttribution: LOBsTerr at European Commission and European Union Institutions, Agencies and Bodies commented 23 December 2019 at 08:41

@jnicola, my bad :( I have edited the comment. Briefly, I tried to debug it for me it works as expected. Could you tell what is your case? I have checked all comments above , the latest patches and also your post.

Comment #20

alternativo CreditAttribution: alternativo as a volunteer commented 13 March 2020 at 17:50

Hi, I put patch#10 but I cannot see changes in permission to add existing node or create new one.
What I need is to have only the permission for members to create new nodes, and not to add relationship to existing nodes..
Is that possible?
I thought it was 'Relationship: Add entity relation' that 'Allows you to add an existing contenuto entity to the group.'...it is unchecked, but members can still add existing node ...

Thanks in advance
:)