Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Access checking for "view" operation requires "view [entity-type]" permission even if "View own [entity-type]" is already given.
Proposed resolution
Update EntityAccessControlHandler::checkEntityOwnerPermissions to something like:
protected function checkEntityOwnerPermissions(EntityInterface $entity, $operation, AccountInterface $account) {
if ($operation === 'view') {
if ($entity instanceof EntityPublishedInterface && !$entity->isPublished()) {
if (($account->id() == $entity->getOwnerId())) {
$permissions = [
"view own unpublished {$entity->getEntityTypeId()}",
];
return AccessResult::allowedIfHasPermissions($account, $permissions)->cachePerUser();
}
return AccessResult::neutral()->cachePerUser();
}
else {
// CHANGE STARTS HERE.
return AccessResult::allowedIfHasPermissions($account, [
"$operation own {$entity->getEntityTypeId()}",
"$operation any {$entity->getEntityTypeId()}",
"$operation own {$entity->bundle()} {$entity->getEntityTypeId()}",
"$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
"view {$entity->getEntityTypeId()}",
], 'OR');
}
}
else {
if (($account->id() == $entity->getOwnerId())) {
$result = AccessResult::allowedIfHasPermissions($account, [
"$operation own {$entity->getEntityTypeId()}",
"$operation any {$entity->getEntityTypeId()}",
"$operation own {$entity->bundle()} {$entity->getEntityTypeId()}",
"$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
], 'OR');
}
else {
$result = AccessResult::allowedIfHasPermissions($account, [
"$operation any {$entity->getEntityTypeId()}",
"$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
], 'OR');
}
return $result;
}
}
Above code untested
Remaining tasks
- Patch
User interface changes
None
API changes
None
Data model changes
None
Comments
Comment #2
angheloko CreditAttribution: angheloko commentedUpdated title and description.
Comment #3
bojanz CreditAttribution: bojanz at Centarro commentedThe underlying code has been split and modified too many times since beta1 for me to make sense of this bug report.
Closing as outdated. Please retest with 8.x-1.x-dev, and ideally, reopen the issue with a patch (can be just a test failure).