Problem/Motivation

Users can access the layout builder on entities regardless of whether layout functionality is enabled or Allow each content item to have its layout customize option is enabled.

Steps to reproduce

  • Navigate to the entity type manage display that supports the layout builder, such as the user entity.
  • Ensure that the layout builder option is disabled.
  • Proceed to the user edit page.
  • You will observe that the local tasks provide a link to access the layout builder.
  • If you click on this link, you will be redirected to the layout builder page for that content without encountering a 403 Access Denied error.

Proposed resolution

Check if the current has any of the following permissions

  • configure any layout
  • configure all {{entity_bundle}} {{entity_type_id}} layout override
  • access layout builder page

This allows to edit the layout of selected content types

Remaining tasks

  • ✅ File an issue about this project
  • ✅ Addition/Change/Update/Fix to this project
  • ✅ Testing to ensure no regression
  • ➖ Automated unit/functional testing coverage
  • ➖ Developer Documentation support on feature change/addition
  • ➖ User Guide Documentation support on feature change/addition
  • ➖ UX/UI designer responsibilities
  • ➖ Accessibility and Readability
  • ✅ Code review from 1 Varbase core team member
  • ✅ Full testing and approval
  • ✅ Credit contributors
  • ✅ Review with the product owner
  • ✅ Update Release Notes and Update Helper on new feature change/addition
  • ✅ Release varbase-10.0.2, varbase_layout_builder-10.1.3

Varbase update type

  • ✅ No Update
  • ➖ Optional Update
  • ➖ Forced Update
  • ➖ Forced Update if Unchanged

User interface changes

After the fix:

The Content Admin user role has permission to change the layout.

But the SEO Admin user role has no any permissions to change any layout.
for selected content types.

API changes

  • N/A

Data model changes

  • N/A

Release notes snippet

  • Issue #3470409 by ahmad khader: Fixed Layout Builder Access operation Without Enabled Functionality
CommentFileSizeAuthor
#11 Content-v10x1---seo-admin.png180.77 KBrajab natshah
#11 Content-v10x1---content-admin.png177.18 KBrajab natshah

Comments

ahmad khader created an issue. See original summary.

rajab natshah’s picture

rajab natshah
he/him
commented

Thanks, Ahmad, for reporting.

Look for which Layout Builder integration module is allowing that. maybe the permission one.
Or our custom "Layout" action item.

Report that in the module, then let us the patch for the fix.
Maybe that could be reported as a security issue, not a normal one.
Even this issue could be changed as a security issue ( try to contact the security team )

Next time: When you create any access or security issue, it is better to select the option to type as a security issue.

ahmad khader’s picture

ahmad khader commented

Thanks, Rajab for your feedback on this issue.
I don't think this is a vulnerability issue as normal users who don't have access to the layout builder manage or edit won't have access.
The problem is that the layout builder is enabled without actually being enabled.

rajab natshah’s picture

rajab natshah
he/him
commented
Priority: Critical » Normal
Status: Active » Needs work

Got that.
Let us add user has permission wrapper condition
https://git.drupalcode.org/project/varbase_layout_builder/-/blob/10.1.x/...

  • Quick fix.
  • then Quick release
rajab natshah’s picture

rajab natshah
he/him
commented
Title: Users can access the layout builder on entities regardless of whether layout functionality is enabled » Fix Layout Builder Access operation Without Enabled Functionality
rajab natshah’s picture

rajab natshah
he/him
commented

Check with the code in the Layout Builder Operation Link module.
Maybe the module has better logic. or more access restrictions.
They did not add the following in Drupal Core yet
#3368656: Add 'Layout' Operation Link to entities

ahmad khader’s picture

ahmad khader commented
Related issues: +#3471460: Fix users having access to the layout builder on entities regardless of whether the layout is enabled

Please check the related issue

rajab natshah’s picture

rajab natshah
he/him
commented

Noted;
The permission one.

Let us add your Patch to Varbase Patches
File and issue/ and Pull Requiest

rajab natshah’s picture

rajab natshah
he/him
commented
Issue summary: View changes
rajab natshah’s picture

rajab natshah
he/him
commented
Assigned: Unassigned » rajab natshah
Status: Needs work » Active
rajab natshah’s picture

rajab natshah
he/him
commented
Issue summary: View changes
StatusFileSize
new Content-v10x1---content-admin.png177.18 KB
new Content-v10x1---seo-admin.png180.77 KB
rajab natshah’s picture

rajab natshah
he/him
commented
Issue summary: View changes

  • rajab natshah committed 84acf393 on 10.1.x 
    Issue #3470409: Fix Layout Builder Access operation Without Enabled...
rajab natshah’s picture

rajab natshah
he/him
commented
Assigned: rajab natshah » Unassigned
Issue summary: View changes
Status: Active » Needs review
Issue tags: +varbase-10.0.2, +varbase_layout_builder-10.1.3
rajab natshah’s picture

rajab natshah
he/him
commented
Status: Needs review » Fixed
rajab natshah’s picture

rajab natshah
he/him
commented
Issue summary: View changes

✅ Released varbase_layout_builder-10.1.3

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

rajab natshah’s picture

rajab natshah
he/him
commented
Issue summary: View changes

✅ Released varbase-10.0.2