UncacheableEntityAccessControlHandler::checkEntityOwnerPermissions() incorrectly checks access for unpublished entities [#2977379]

The current logic will grant access to another user's unpublished entity, if the user has a "view any $entity_type" permission.
This is incorrect, "view any" is still limited to published entities. It also doesn't match what EntityAccessControlHandler is doing.

Fix incoming.

Comments

Comment #1

4 June 2018 at 22:26

bojanz created an issue. See original summary.

Comment #2

4 June 2018 at 22:28

bojanz committed bbeeb0b on 8.x-1.x

Issue #2977379 by bojanz: UncacheableEntityAccessControlHandler::...

Comment #3

bojanz CreditAttribution: bojanz at Centarro commented 4 June 2018 at 22:28

Status:

Active

» Fixed

Fixed.

Comment #4

18 June 2018 at 22:29

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

UncacheableEntityAccessControlHandler::checkEntityOwnerPermissions() incorrectly checks access for unpublished entities

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community