Synopsis
Taxonomy Access Fix grants permission for users to create terms based on a per-vocabulary add terms in permission. Drupal Core does the same based on a per-vocabulary create terms in permission, which is not used when Taxonomy Access Fix is installed. This is confusing for site builders and requires to re-implement a lot of the checks already done by core just to use another permission name. Taxonomy Access Fix should migrate users to Drupal Core's permission instead.
Discussion
As part of this issue, we should
- remove the
checkCreateAccess()method from the access control handler so that the parent implementation provided by Drupal Core is used. Note: This will grant users with permission to Administer vocabularies and terms access to create terms programmatically, which they didn't have in earlier versions. This should be okay without opening a new branch, since the permission is the ultimate administrative permission used by Taxonomy module that should in theory grant access to everything Taxonomy no matter what. Also, affected users already have access to the route to create terms via UI, so this looks more like an oversight/bug. We will inform users of the module about this change in the release notes anyway. - remove the route alteration of the
entity.taxonomy_term.add_form. Drupal Core will check for the create terms in permission already. - remove the
getOperations()method from the vocabulary list builder. Drupal Core will check for the create terms in permission already. - use the parent's
currentUserproperty in therender()method of the vocabulary list builder instead of using\Drupal. - add a description to the add terms in permission informing users about the migration to Drupal Core's permission.
- add dependency injection for the permission callback class.
- rename the permission callback from
getAccess()togetPermissions(), so that the name better reflects what the method does. - introduce an update path that grants the create terms in permission to roles that have permission to add terms in.
- only provide the add terms in permission when the user has not yet run the update path.
- update existing tests as needed.
- add tests for the update path.
- make any changes needed for compatibility with Drupal Coding Standards in files we touch anyway.
Release notes snippets
Users with permission to Administer vocabularies and terms now have permission to create Taxonomy terms programmatically in any vocabulary without the need for any other permission. Previously, they only had access to create terms in any vocabulary via UI, but not programmatically.
Please note: There are database changes in this release. Users upgrading from 8.x-2.7 or earlier releases must apply database updates (e.g. run update.php) for the changes to take effect.
The Add terms in vocabulary permissions provided by Taxonomy Access Fix are no longer used and will be removed in a future release. Roles with this permission will be assigned the Vocabulary: Create terms permissions provided by Drupal Core during the update. Users are encouraged to review the updated permissions.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | interdiff-3100469-02-3100474-02.txt | 35.29 KB | feyp |
| #2 | taxonomy-access-fix-3100474-02.patch | 42.33 KB | feyp |
Comments
Comment #2
feyp commentedAttached is a patch against 8.x-2.x. Note that the patch file includes the changes from #3100469-2: Extend TermAccessControlHander instead of EntityAccessControlHandler to facilitate automated testing. I provided an interdiff file that contains only the changes I think should be made in this issue.
Comment #3
casey commentedReroll of the patch without the update hook; for those who want to use the patch right now without screwing up their module update status :)
Comment #6
feyp commentedCrediting voleger and Anybody for reviewing and testing the original patch in the private issue on security.drupal.org.
Comment #8
feyp commented