Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
ShortcutListController doesn't inherit its operations from ConfigEntityListController.
Comment | File | Size | Author |
---|---|---|---|
#30 | filter-1995048-30.patch | 2.73 KB | tim.plunkett |
#25 | access-1995048-25.patch | 23.88 KB | tim.plunkett |
#25 | interdiff.txt | 694 bytes | tim.plunkett |
#23 | access-1995048-23.patch | 23.63 KB | tim.plunkett |
#23 | interdiff.txt | 9.11 KB | tim.plunkett |
Comments
Comment #1
twistor CreditAttribution: twistor commentedThis maintains the current "Delete set" convention, but personally, I would be happier to just have "Delete."
Comment #2
twistor CreditAttribution: twistor commentedThis is a bit more adventurous, it remove the "Edit set" and "Delete set" operations in favor of the standard "Edit" and "Delete."
It also moves the access checks for edit and delete operations to Drupal\Core\Entity\EntityListController.
Comment #4
twistor CreditAttribution: twistor commentedThis should get all the tests passing, but needs work with the views stuff.
Comment #5
tim.plunkettLet's just retitle this.
Comment #6
BerdirI have a feeling that we don't have tests for every single config entity for those operation links, so will probably require some manual testing at least and maybe some additional tests? Not sure how useful it is if we have tests for this for every config entity?
Comment #7
dawehnerShould we maybe limit this to edit and delete?
Comment #8
twistor CreditAttribution: twistor commenteddawehner, I did it a little differently. There's still the clone and disable operations as well.
So my question is, should there be access checks for every operation, or just edit and delete?
Manually testing all EntityListControllers now.
Comment #9
dawehnerMaybe skip just "view", as you would need more context (like the current active display) in order to do it properly.
Comment #10
Berdir#8: getopterations-access-1995048-8.patch queued for re-testing.
Comment #12
BerdirChanging component. I think with the additional tests added in #2010290: Editing a config entity from a listing page results in a 'page not found', we're in a better shape to do this and not break all edit links again as we did before ;)
Comment #13
BerdirComment #14
BerdirSimple re-roll.
Will need more changes, e.g. the contact category list controller doesn't need to remove them again, but I want to get the NG conversion in first.
Comment #16
BerdirLots of random failures in there, but we're missing an access controller for actions I think.
Comment #17
damiankloip CreditAttribution: damiankloip commentedRerolled and added an ActionAccessController.
Comment #19
damiankloip CreditAttribution: damiankloip commentedLet's see how far this gets us.
Comment #21
BerdirLooks good, I expect the shortcut and picture list controllers are altering operations that aren't set anymore? I guess we're missing test coverage there?
Also, at least the contact category controller does access checks too, those can be removed now. Others might be similar.
Comment #22
tim.plunkett#1696660: Add an entity access API for single entity access says we should use 'update' not 'edit'. I disagree, but it's apparently too late.
Menu, PictureMapping, CustomBlockType were missing access controllers.
See #1984702: Convert menu.module's page callbacks to Controllers for upcoming changes to menu, which would have exposed this error.
I didn't yet check for double access checks (like contact category).
Comment #23
tim.plunkettOkay, I went through every instance of getOperations() and cleaned all of them up.
I think we should be done.
Comment #25
tim.plunkettBrainfart.
Comment #26
BerdirLooks great!
How is this related?
Comment #27
BerdirTalked about that part with @timplunkett and it's basically dead code that's being removed there. #theme isn't even set at this point, and #type dropbutton and operations is almost the same except a slightly different #theme suggestion. It's a bit out of scope here, but opening a separate issue to remove three lines of no-op code seems overkill.
So, given that we added a fair amount of test coverage for these operation links in the /edit issue., I think is ready to go in.
Comment #28
alexpottCommitted 4f8b8a5 and pushed to 8.x. Thanks!
Lets update https://drupal.org/node/2019575...
Also opened #2029319: ConfigEntityListController::getOperations adds 'enable' and 'disable' without checking access for discussion.
Comment #29
BerdirUpdated https://drupal.org/node/1799642, the other one was just about altering the operations.
Comment #30
tim.plunkettFilter was missing an access controller. Was going to add it in #2012312: Remove legacy code from filter.module, moving only the relevant parts to an issue.
Comment #31
tim.plunkettWe're missing tests, no sense in doing this here. See you in #2030129: FilterFormat has no access controller.