Problem/Motivation

A button was added to the taxonomy terms create page to redirect to the vocabulary list after creating a new term.

In this issue we forgot to add a check if a user has access to the overview page.

In general it is a bad (security & ux) practice to show links to items a user doesn't have access to.

Steps to reproduce

- create a taxonomy
- create a user with permission to create/edit terms in this taxonomy
- link to the creation form
- click on the "Save and go to list" button
- a 403 access denied is shown

Proposed resolution

Hide the "Save and go to list" link when a user doesn't have access.

Remaining tasks

Add a check to see if the user has the "Access the taxonomy vocabulary overview page" permission.

User interface changes

In some cases the "Save and go to list" link will be hidden.

API changes

-

Data model changes

-

Release notes snippet

CommentFileSizeAuthor
#9 interdiff.txt984 byteslauriii
#9 3347816-9.patch1.81 KBlauriii

Issue fork drupal-3347816

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

mpp created an issue. See original summary.

mpp’s picture

mpp commented
Status: Active » Needs review

Added check on 'access taxonomy overview' permission.

mpp opened merge request !3658

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs tests

The failures in the MR seem legit ones and not random ckeditor5.

This change will require a test case also to show the issue.

Thanks

mpp’s picture

mpp commented

"This change will require a test case also to show the issue."

The failure actually shows that there is a bug as the current test doesn't provide a user with the 'access taxonomy overview' permission.

AlexGreen made their first commit to this issue’s fork.

aleexgreen’s picture

aleexgreen commented
Status: Needs work » Needs review
Issue tags: -Needs tests

Fixed the test and added one for the new functionality.

mpp’s picture

mpp commented
Status: Needs review » Reviewed & tested by the community

Looks good, thank you.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
StatusFileSize
new 3347816-9.patch1.81 KB
new interdiff.txt984 bytes

We could use #access for this which simplifies the if condition. Posting as a patch to test across all branches.

  • lauriii committed 16da1ce8 on 10.1.x 
    Issue #3347816 by mpp, AlexGreen, lauriii: Only show link to taxonomy...

  • lauriii committed 01800acd on 10.0.x 
    Issue #3347816 by mpp, AlexGreen, lauriii: Only show link to taxonomy...

  • lauriii committed 158d0893 on 9.5.x 
    Issue #3347816 by mpp, AlexGreen, lauriii: Only show link to taxonomy...

lauriii closed merge request !3658

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Status: Reviewed & tested by the community » Fixed

Committed 16da1ce and pushed to 10.1.x. Also cherry-picked to 10.0.x and 9.5.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.