Still on Drupal 7? Security support for Drupal 7 ended on 5 January 2025. Please visit our Drupal 7 End of Life resources page to review all of your options.Problem/Motivation
There is no permission to control the access to the mini layouts. The current implementation of layout builder (at least on Drupal 9.x) is controlling the access to blocks based on the access of the parent entity, in this case the mini_layout entity.
Steps to reproduce
- Install mini_layouts module in a Drupal 9 site
- Create a mini layout and place a content block on it
- Place the mini layout block on a page
- See that page as anonymous user. The mini layout will be present but the content block will be hidden.
Proposed resolution
- Create a new permission "access mini layouts"
- Implement the \Drupal\mini_layouts\Entity\MiniLayoutAccessControlHandler::access() method and check the "access mini layouts" permission
Remaining tasks
Review and test
User interface changes
None
API changes
New permission "access mini layouts"
Data model changes
None
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | mini_layouts-3172436-6.patch | 1.34 KB | milos.kroulik |
| #6 | interdiff-3-6.txt | 1.07 KB | milos.kroulik |
Comments
Comment #2
akalam commentedComment #3
akalam commentedPrevious patch is throwing a fatal error on admin pages if $account is not defined. Here is a patch fixing it.
Comment #4
akalam commentedComment #5
rlmumfordThis should override the 'checkAccess' method instead of the 'access' method, that would resolve the issue with $account being NULL.
Comment #6
milos.kroulik commentedFixed issue mentioned in #5.
Comment #7
milos.kroulik commented