Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.It seems sometimes we need to getReferenceableEntities with some access control.
An example is on Matt Glaman (mglaman)'s Commerce Marketplace
https://github.com/mglaman/commerce_marketplace/blob/master/src/Plugin/E...
It would be more than helpful to have a generic extend for Entity references selection, when we can use the EntityAccessControlHandler to get the right Entities based on user permissions to use those references.
Other example is at #2885534-2: Create order type permission doesn't allow orders to be created
In this issue it's about "commerce_entity_select" form input element.
First i think we need to use, somehow, the EntityReferenceSelection, instead of having its own processEntitySelect().
And second, in the issue, it's about access based on "create" entity permission.
So the access control here, should be aware about entity operations access.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | extend_EntityReferenceSelection-2894899-2.patch | 8.8 KB | vasike |
Comments
Comment #2
vasikeHere is a try on this matter
- New "EntityReferenceSelection" plugin : CommerceDefaultSelection
which extends the default one.
- Add new "operation_access" setting to "entity_reference_selection" schema
This new setting could be used to specify the entity operation is needed for (create, update, delete, view)
And implement it for the configuration form
- "Create" operation - specific case, when we need a list of Config entities that are "bundleOf" an entity type
For example the need for "OrderAddForm"
Alter getReferenceableEntities with EntityAccessControlHandler for create
- For the other operations, alter the "buildEntityQuery"
Several scenarios there based on operations, ownership and bundle permissions.
Not sure about ownership if we do not have owner field as "annotation", could be anything else than "uid".
- Update the "EntitySelect" (commerce_entity_select) element and include a new '#operations_access' property.
And use the EntityReferenceSelection to get the referenced entities.
- Example: in "OrderAddForm" for "Order type" and "Store" elements.
Not sure if we could imagine a generic solution, that could be included in Entity module, or Core.
Anyway, at least we could discuss about this and maybe find a (better) solution, at least for Commerce.
Feedback, please
Comment #3
zenimagine CreditAttribution: zenimagine commented- Do you think it is possible to control the access to payment methods by shop?
This means that each shop owner can configure his payment method.
For example each shop may have a different PayPal account.
- Same question for shipping methods.
Comment #4
bojanz CreditAttribution: bojanz at Centarro commentedThis is no longer needed, since Commerce 2.10 uses the Entity Query Access API added to Entity API 8.x-1.0-rc1.
See #2499645: Start using the entity query access API on orders, products and stores.