Now that we are checking access for CRUD operations #1995048: EntityListController::getOperations() should respect access checks what should we do about the 'enable' and 'disable' operation added in ConfigEntityListController::getOperations(). They are only added if they have a status key in their annotation.

CommentFileSizeAuthor
#3 enable-and-disable-access-2029319-3.patch689 bytesinternetdevels

Comments

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Issue tags: +Configurables

Tagging.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Issue tags: +Novice

I think we should also check for update access there, should be a very simple patch. Have a look at the referenced issue.

internetdevels’s picture

internetdevels commented
Issue summary: View changes
Status: Active » Needs review
StatusFileSize
new enable-and-disable-access-2029319-3.patch689 bytes

Added check for update access.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented

Yes, something like that. We should probably have some basic test coverage for this, we have a ConfigEntityListTest that we could extend.

The problem is that the ConfigTestAccessController does not implement any access control at all, so we would have to add add/update/delete permissions to config_test.module and check those in the access controller. Then we can check that users can only see the operations they're allowed to by default.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Issue tags: +Needs tests

I agree with #4 we need tests :)

xano’s picture

xano
he/they
Primary language English
Location Southampton
commented

#2200183: Add ConfigEntityAccessController fixes this and is RTBC as well.

xano’s picture

xano
he/they
Primary language English
Location Southampton
commented
Status: Needs review » Closed (duplicate)