Problem

The webform save-to-vault submit gate (pdv_webform PdvRecordMap) decides writability with ConsumerApi::kindAccess(), which resolves kind-level trust only (trustedKindsByScope) and never consults per-item grants. But ConsumerApi::updateRecord() authorizes a write by trust OR a write-grant on the existing item. So a user holding a per-item write grant on their existing record (e.g. a unique "Civil status") is told to grant write access and can never clear the gate, even though the update would succeed.

Fix

kindAccess() now reports a kind accessible when the consumer has a kind trust OR a per-item grant on an existing item of the kind, reusing the scope-generic primitives (trustedKindsByScope and listItemsByScope). The grant path is gated to unique kinds: only there is "the kind" a single unambiguous target, matching updateRecord, which acts on the unique owner item. Adds Vault::isUniqueKind() as the single uniqueness predicate (also reused by lockUniqueKind).

Tests

  • A per-item write grant alone makes a unique kind writable in kindAccess.
  • A per-item grant does not make a non-unique kind writable.
  • No trust and no grant leaves the kind not writable.

Issue fork pdv-3593532

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

mably created an issue. See original summary.

mably opened merge request !3

mably’s picture

mably commented
Status: Active » Needs review

  • mably committed 86179383 on 1.x 
    fix: #3593532 kindAccess() ignores per-item write grants, so save-to-...
mably’s picture

mably commented
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.