Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Drupal core entity access handlers now support a 'view label' access operation: https://www.drupal.org/node/2661092
It would be good for EntityPermissionProviderBase / EntityAccessControlHandler to provide support for this.
One question I'm not sure about: the core access handler has a property to determine whether to use the 'view label' operation. The idea there being that if an entity type wants that to be TRUE, it uses a subclassed handler:
/**
* Allows to grant access to just the labels.
*
* By default, the "view label" operation falls back to "view". Set this to
* TRUE to allow returning different access when just listing entity labels.
*
* @var bool
*/
protected $viewLabelOperation = FALSE;
How we handle letting entity types declare whether they want this permission to be exposed, while still using Entity API's generic handler class?
Comments
Comment #2
bojanz CreditAttribution: bojanz at Centarro commentedRetitling. I've investigated this, and realized that there's no such thing as a "view label" permission anywhere in core. The operation was added to provide an indication to access control handlers that its safe to use reduced access checking: user/menu/date format entities skip access checking completely, node type checks for "access content" and media type checks for "view media".
So, the real solution is to check whether the user has access to view the actual entity.
For product types that means "view commerce_product" or "view $bundle commerce_product" where $bundle is the ID of the bundle entity, plus the admin permission.
Comment #4
bojanz CreditAttribution: bojanz at Centarro commentedDone, modeled after MediaTypeAccessControlHandler.