Problem/Motivation

Entities of not permitted bundle are shown in the dropdown. Can they be created too?

Steps to reproduce

TODO, see #11

Proposed resolution

If reproducible, leverage InlineEntityFormBase::getCreateBundles in the right place.

Remaining tasks

- Create step-by-step instructions in the issue summary how to make the issue happen. (This can be done with standard Drupal, by setting Node create/edit permissions)
- Exactly describe what happens: Can invalid bundles be created or are they only in the dropdown?
- Code a failing test that demonstrates the problem
- Code a fix
- Review, commit.

Original Issue Summary

Summary:
When a complex entity inline form is created, there is no check on whether or not the user has access to the entity bundle that is used to create the form. This may allow users to create entities from bundles that they do not have access to normally.

Details:
To generate the complex entity inline form, the determineBundle() method is called to figure out which bundle of an entity type should be used. This uses the method getTargetBundles() to get a list of bundles of an entity type. It then takes the first available value from that list.
No access check is performed on these bundles vs the active user. This means that users can potentially get access to bundles that they are not permitted to.

Reproducibility:
In my own project, this issue allowed a user to get access to an entity form for a bundle that the user had no access to.
I'm not sure how to reproduce this on a standard Drupal install, as it probably requires a custom implementation of the EntityAccessControlHandler class ( as I have in my project ).

However, as far as I can see, the inline entity form module lets Drupal populate the drop-down list of available bundles, which then correctly filters out any entity bundles that are off-limits. Yet it then proceeds to generate a form using an arbitrary element from the bundle list generated by getTargetBundles() to create a form.

CommentFileSizeAuthor
#8 inline_entity_form-include-access-check-2929727-8.patch1019 bytesandrey.troeglazov
#4 inline_entity_form-include-access-check-2929727-4.patch6.82 KBRoensby
#3 inline_entity_form-include-access-check-2929727-3.patch6 KBRoensby

Comments

Roensby created an issue. See original summary.

Roensby’s picture

Roensby commented
Issue summary: View changes
Roensby’s picture

Roensby commented
StatusFileSize
new inline_entity_form-include-access-check-2929727-3.patch6 KB

Here is a suggestion for adding access checks to form generation.
It simply adds a check to the getTargetBundles() method, to make sure that the user has access to the bundle.

  // Make sure that bundles are accessible for user.
  $target_bundles_with_access = [];
  foreach ($target_bundles as $bundle) {
    $has_access = $this->entityManager->getAccessControlHandler($settings['target_type'])->createAccess($bundle, NULL, [], FALSE);
    if ($has_access) {
      $target_bundles_with_access[] = $bundle;
    }
  }
  return $target_bundles_with_access;
Roensby’s picture

Roensby commented
StatusFileSize
new inline_entity_form-include-access-check-2929727-4.patch6.82 KB

Corrected for missing instantiation of the entity manager.

mhmd’s picture

mhmd commented

The patch fixed the issue and works fine with custom content entities thanks @Roesby.

Roensby’s picture

Roensby commented
Status: Active » Needs review
bojanz’s picture

bojanz commented
Status: Needs review » Needs work

You can't use EntityManager, it's been deprecated for ages.
Use/inject EntityTypeManager instead.

andrey.troeglazov’s picture

andrey.troeglazov commented
Status: Needs work » Needs review
Issue tags: +IEF Release 8.x-1.0
StatusFileSize
new inline_entity_form-include-access-check-2929727-8.patch1019 bytes

Recreated patch #4 with using EntityTypeManager.

joachim’s picture

joachim commented
Status: Needs review » Postponed (maintainer needs more info)
Issue tags: -bundle, -Entity Access, -Entity forms, -IEF Release 8.x-1.0

AFAICT this is already in the code, just not in that method:

  /**
   * Gets the bundles for which the current user has create access.
   *
   * @return string[]
   *   The list of bundles.
   */
  protected function getCreateBundles() {
    $create_bundles = [];
    foreach ($this->getTargetBundles() as $bundle) {
      if ($this->getAccessHandler()->createAccess($bundle)) {
        $create_bundles[] = $bundle;
      }
    }

    return $create_bundles;
  }

Is it maybe the case that something is calling getTargetBundles() when it should be calling getCreateBundles()?

keopx’s picture

keopx
Primary language Basque
Location Basque Country
commented
Status: Postponed (maintainer needs more info) » Reviewed & tested by the community

I have two entity reference, and it not works. Only get first item (ordered by bundle alphabetically), not get by accessing rules.

After applying patch #8 it resolved the problem

Thanks @andrey.troeglazov

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Title: Possible access issue with entity bundles » Possibly can create entities with not permitted bundles
Issue summary: View changes
Status: Reviewed & tested by the community » Needs work

This issue can only proceed after some un-mess happens. See IS

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Status: Needs work » Postponed (maintainer needs more info)
Related issues: +#3215722: Reference field limited to the wrong bundle when only one, different from default, is available with create access

Also there is a related issue with a superb IS and a patch. Please report back if that patch from the other issue fixes this.
- If yes, set status to closed(duplicate)
- Otherwise proceed as noted in the IS

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

That code changed a long time ago.