Permissions not respected

It looks like cloning is allowed if any of these permissions are granted:

• "Administer content" (in the Node section)
• "Bypass content access control" (in the Node section)
• Both "{Content Type}: Create new content" (in the Node section) and "{Content Type}: clone content" (in the Quick Node Clone section).

For my use cases having the ability to clone is more closely related to the type of content than overall content editing permissions, so I'd rather be more restrictive.

Here's the current permissions check (as jproctor points out above):

  $current_user = \Drupal::currentUser();
  if ($current_user->hasPermission("administer nodes")) {
    return TRUE;
  }
  if ($current_user->hasPermission("bypass node access")) {
    return TRUE;
  }
  if ($current_user->hasPermission("clone $bundle content") && $current_user->hasPermission("create $bundle content")) {
    return TRUE;
  }
  return FALSE;

I will probably patch with:

  $current_user = \Drupal::currentUser();
  return ($current_user->hasPermission("clone $bundle content")
    && ($current_user->hasPermission("create $bundle content") || $current_user->hasPermission("administer nodes") || $current_user->hasPermission("bypass node access")));

But... my use case would probably be better handled as third-party node configuration, where you'd set up (on the node type edit form, probably) which node types can be cloned outside the permission system. The available permissions would then change according to that configuration.

We have the same Problem with the permissions.

A patch would be nice to have for that problem.

Created a patch that grants clone permission if the user has "bypass node access" or otherwise if they have all three of "administer nodes", "clone $bundle content" and "create $bundle content"

I think that this might be too restrictive. If we want to make this strictly an administrator tool, then the patch in #6 would do it.

But there are other people, such as a client of mine, that allow users to clone other people's content and revise it. The patch from #6 would require them to grant these users the "administer nodes" permission which seems excessive to me since that permission also opens up a bunch of other options to users that might not be desired.

I believe it would be better to do something like my attached patch instead since it will keep the status quo a little more....quo.

Basically, it would allow administrators to determine the behavior of this module and give them a little more control over how the permissions were applied.

Here is a screenshot of the new option my patch in #10 would add.

Ah. Missed updating the schema file.

Attaching a fresh patch with the schema file update.

We switched to another clone module, but this one is the better one at least for us, so we'll test the patch within the next days, so far many thanks for the effort..

I guess my use case is not covered by this proposed solution, since I'm looking to make node clone available only on specific content types, regardless of who has permissions. I think that is a different issue though, so I'll open a new one for that.

Added #3075823: Enable/disable for specific content types

I installed the patch today, and it worked. Thx for this addition

Awesome patch, just what I need, thanks for it! It didn't apply anymore to 1.12 so updated the patch slightly.

Sorry, was checked out on the dev branch. For 1.12 patch #13 still applies correctly.
So if anyone needs the dev branch with this patch they can use #19 :P

I have tested and can confirm this patch works! Thank you

Patch doesnt apply, needs a reroll against latest dev.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3407  100  3407    0     0   2126      0  0:00:01  0:00:01 --:--:--  2125

error: patch failed: quick_node_clone.module:82
error: quick_node_clone.module: patch does not apply

#13 works.
Many thanks!

I agree with the approach. Some comments though:

1. +++ b/quick_node_clone.module
   @@ -82,14 +82,20 @@ function _quick_node_clone_has_clone_permission($bundle) {
   +  $admin_only = (bool) \Drupal::config('quick_node_clone.settings')->get('admin_only');
   +  if ((($admin_only && $current_user->hasPermission('administer nodes')) || !$admin_only)
   +    && $current_user->hasPermission("clone $bundle content")
   +    && $current_user->hasPermission("create $bundle content")
   +  ) {
        return TRUE;
      }
   

   This logic makes my brain melt. Especially permission code should be crystal clear.

   My proposal

   $restrict_to_admin = (bool) \Drupal::config('quick_node_clone.settings')->get('admin_only');
   $can_edit_and_clone = $current_user->hasPermission("clone $bundle content") && $current_user->hasPermission("create $bundle content");
   
   if ($restrict_to_admin && $current_user->hasPermission('administer nodes') && $can_edit_and_clone) {
     return TRUE;
   }
   if (!$restrict_to_admin && $can_edit_and_clone) {
     return TRUE;
   }
   

2. +++ b/src/Form/QuickNodeCloneNodeSettingsForm.php
   @@ -41,6 +41,12 @@ class QuickNodeCloneNodeSettingsForm extends QuickNodeCloneEntitySettingsForm {
   +      '#title' => $this->t('Make cloning available only to administrators'),
   

   The word 'administrator' can also point to user/1 and users with the the administrator role. I propose 'content administrator' instead.

Also works for me. Thanks!

This needed an re-roll after #3120154: Add integration for Group module.

Also fixed a bug that was added with the referenced issue. See #3120154-20: Add integration for Group module.

I can confirm that patch #27 works.

Latest patch does not address feedback from #25.

I have updated the solution to include feedback and updates from previous comments.

Regarding the feedback in #25, I removed the "created" permission from the conditional since it's covered by the latest commits against the dev branch. Additionally, I have modified the conditional so that if a user has the ability to administer nodes, then they should have the ability to clone a node regardless of other permissions.

I have wrapped the additional checks (for group permissions and create permissions) so they are only checked if the admin_only setting is not set and the user has permission to clone the node.

I agree on the wording of the description of the admin_only checkbox and have incorporated the updated verbiage in this patch.

Updating the issue status to "Needs Review"

Any progress on this?

This appeared to work for me. #30

Rerolled the patch.

Any plans to include this in the next release?

@arthur.baghdasar thanks for the reroll, also have tested this, and works fine. Will commit these change and push in the next release maybe next month.

Sorry but permission is not respected again.
i setup clone permission on "article" and on my custom content type but rule "editor" can clone only "article".

I confirm that patch works fine.

We just upgraded from D9 to D10, and along the way also from 1.18 to 1.22 of this module. I now have a different issue than being reported here, but with the same title. With 1.18 this worked as expected without any patch. Which ever role was assigned perms to whichever bundle, had clone rights for that bundle only.

Now, with 1.22, non-admins do not have access to clone anything regardless if they have the perm set or not. Reverting back to 1.18 (but still in D10.4) and perms work as expected.

Having the same issue after upgrading the module from 1.20 to 1.22. The fork is not compatible with 1.22, reverting to 1.20 for now.
Appreciate if someone can look into it. Thanks

This is the latest patch that applies to 1.22

The patch can be applied, however this doesn't fix my issue. The clone option disappeared on node edit screen for non administrator users.

Can also report that we have the same issue when updating from 1.20 to 1.22. We are also using version 1 of groups but I'm not sure if that's the cause since the 1.22 release states it supports Group's v1 again