Problem/Motivation

Access checking for "view" operation requires "view [entity-type]" permission even if "View own [entity-type]" is already given.

Proposed resolution

Update EntityAccessControlHandler::checkEntityOwnerPermissions to something like:

protected function checkEntityOwnerPermissions(EntityInterface $entity, $operation, AccountInterface $account) {
  if ($operation === 'view') {
    if ($entity instanceof EntityPublishedInterface && !$entity->isPublished()) {
      if (($account->id() == $entity->getOwnerId())) {
        $permissions = [
          "view own unpublished {$entity->getEntityTypeId()}",
        ];
        return AccessResult::allowedIfHasPermissions($account, $permissions)->cachePerUser();
      }
      return AccessResult::neutral()->cachePerUser();
    }
    else {
      // CHANGE STARTS HERE.
      return AccessResult::allowedIfHasPermissions($account, [
        "$operation own {$entity->getEntityTypeId()}",
        "$operation any {$entity->getEntityTypeId()}",
        "$operation own {$entity->bundle()} {$entity->getEntityTypeId()}",
        "$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
        "view {$entity->getEntityTypeId()}",
      ], 'OR');
    }
  }
  else {
   if (($account->id() == $entity->getOwnerId())) {
      $result = AccessResult::allowedIfHasPermissions($account, [
        "$operation own {$entity->getEntityTypeId()}",
        "$operation any {$entity->getEntityTypeId()}",
        "$operation own {$entity->bundle()} {$entity->getEntityTypeId()}",
        "$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
      ], 'OR');
    }
    else {
      $result = AccessResult::allowedIfHasPermissions($account, [
        "$operation any {$entity->getEntityTypeId()}",
        "$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
      ], 'OR');
    }
    return $result;
  }
}

Above code untested

Remaining tasks

  • Patch

User interface changes

None

API changes

None

Data model changes

None

Comments

angheloko created an issue. See original summary.

angheloko’s picture

angheloko CreditAttribution: angheloko commented
Title: Access checking for "view" operation requires "view <entity-type>" for custom entities » Access checking for "view" operation requires "view [entity-type]" for custom entities
Issue summary: View changes

Updated title and description.

bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Status: Active » Closed (outdated)

The underlying code has been split and modified too many times since beta1 for me to make sense of this bug report.
Closing as outdated. Please retest with 8.x-1.x-dev, and ideally, reopen the issue with a patch (can be just a test failure).