While working with the services and uuid_services (uuid) modules, I was trying to PUT a new comment as an anonymous user and kept getting "403 Access denied for user anonymous". Anonymous users on my test site have the following comment permissions:
- access comments
- post comments
- skip comment approval
uuid/uuid_services/uuid_services.module > _uuid_services_entity_access($op, $args) ends up calling entity/modules/callback.inc > entity_metadata_comment_access($op, $entity = NULL, $account = NULL) and passing 'create' as the $op.
Without the "administer comments" permission, an anonymous user would never be allowed to create a comment even if they have the "post comments" permission since the "create" op is not handled.
Comment | File | Size | Author |
---|---|---|---|
#6 | comment_access_check-2236229-6.patch | 918 bytes | edaa |
#6 | interdiff-6.txt | 501 bytes | edaa |
#1 | add_create_op_to_metadata_comment_access-2236229-1.patch | 449 bytes | dkingofpa |
Comments
Comment #1
dkingofpa CreditAttribution: dkingofpa commentedHere's a patch that adds "create" op support to entity_metadata_comment_access rolled from 7.x-1.x. Very simple patch, it should apply to 7.x-1.5 as well.
Comment #2
dkingofpa CreditAttribution: dkingofpa commentedComment #3
frankkessler CreditAttribution: frankkessler commentedPatch verified on 7.x-1.6. It's impossible to post comments using the uuid_services and services modules without this patch unless you give the authenticated user administrator rights over comments.
Comment #4
mpotter CreditAttribution: mpotter commentedOK, this one really is a no-brainer. Sad that it was done 2 years ago and didn't get a good review.
I ran into this using the Paragraphs module to add paragraph entities to comments. It checks the parent comment permissions, so passes "create" to entity_access when adding paragraphs to a new comment.
This really should get committed.
Comment #5
edaa CreditAttribution: edaa commented+1 for this, currently comments can't be created through RESTful API.
Comment #6
edaa CreditAttribution: edaa commentedTake into account attempting to update a newly created comment.
Comment #7
edaa CreditAttribution: edaa commentedComment #8
garphy CreditAttribution: garphy at ICI LA LUNE commentedReally need for any serious headless Drupal operating mode (RESTful or Services API)
+1 for committing this.
Comment #9
Moxide CreditAttribution: Moxide commentedJust to bump this one...
Mandatory patch to make restful comments work !
Why is it still not commited ?
Comment #10
fagoI don't think it's the job of the entity API to correct the callers $op.
Hm, does that relate to skip comment approval? I guess we have to make sure this permission is covered also somehow, e.g. via property access?
Comment #11
D34dMan CreditAttribution: D34dMan commentedPatch in #1 solves the issue.
Comment #12
efpapado CreditAttribution: efpapado at Ramsalt Lab commentedI share the concerns of #10 (first part), but I agree that #6 fixes the problem, even if it is done wrong(ish)ly.
The comment approval permission (#10 second part) doesn't seem to be skipped.