Make access control for the entity form in the original language more flexible

It's by design: it's an attempt to provide a way to emulate the old translation form where only translatable fields appeared. I guess we could try to provide an update function here.

I checked the code, not sure but there might actually a bug there: the idea is that one would require the 'edit original values' permission only to access the original language, it seems to me that the code now prevents access also to translations.

Attached patch provides a respective update function. It also grants the permission when the module is first installed...

I think we should take care also of comments, terms and users.

Attached patch adds a few permissions for taxonomy terms and users...

This brought up a new problem: if users are made translatable then the permission essentially needs to be granted to every authenticated user, or they won't be able to edit their user profiles anymore... I guess the permission needs to be more fine-grained (i.e. per entity type, same as "translate X entities").

Hm, forgot to attach. Leaving NW because of the problem with user accounts...

Mhm.

This brought up a new problem: if users are made translatable then the permission essentially needs to be granted to every authenticated user, or they won't be able to edit their user profiles anymore... I guess the permission needs to be more fine-grained (i.e. per entity type, same as "translate X entities").

Yes, this means we probably need more granular permissions, retitling accordingly. However since the access control is governed by the EntityTranslationHandlerInterface::getTranslationAccess() method we can override it in the various subclasses to make sure, for instance, that users can edit their own profiles or their own nodes, if they have the related permissions, and skip the 'edit original values' one.

We still need an update function, obviously :)

Attached patch adds a new set of permissions "edit [entity-type] original values", with the update function adjusted respectively.

I haven't overridden the getTranslationAccess() method for user entities, but instead just granted the "edit user original values" permission to all authenticated users during update/install. Do you think we should completely disable the "translation access" check for user entities?

I haven't overridden the getTranslationAccess() method for user entities, but instead just granted the "edit user original values" permission to all authenticated users during update/install. Do you think we should completely disable the "translation access" check for user entities?

Probably it would make sense, If I'm not mistaken one would need to grant the edit user original values permission to every user on the site, always. Hence no point to have it at all.

+++ b/entity_translation.install
@@ -93,6 +93,86 @@ function entity_translation_install() {
+  // Grant the 'edit original values' permission, so we don't break editing on existing sites.

Wrong comment wrapping.

+++ b/entity_translation.install
@@ -93,6 +93,86 @@ function entity_translation_install() {
+ * Grant 'edit $type original values' permission to roles which have respective entity
+ * editing permissions.

This should be one single line IIRC.

+++ b/entity_translation.install
@@ -93,6 +93,86 @@ function entity_translation_install() {
+  // Nodes
...
+  // Comments
...
+  // Taxonomy terms
...
+  // Files

Missing trailing dots.

+++ b/entity_translation.install
@@ -93,6 +93,86 @@ function entity_translation_install() {
+  // Files
+  if (module_exists('file_entity')) {
+    $permissions['file'][] = 'administer files';
+    $permissions['file'][] = 'edit file';
+  }

We cannot start supporting non-core entities, sorry. We may want to update the message to encourage site builders to manually update permissions for any contrib entity.

+++ b/entity_translation.install
@@ -93,6 +93,86 @@ function entity_translation_install() {
+ * @return
+ *   A message describing permission changes.

There should be an empty line between @param and @return.

+++ b/entity_translation.install
@@ -93,6 +93,86 @@ function entity_translation_install() {
+    $members_only = empty($perms);

Looks like $perms is never assigned.

Cleaned the patch up and removed the "edit user original values" permission.

Setting NR...

The patch looks good and works (almost) as intended. I performed some adjustment to permissions (creation permissions do not matter here, only edit and admin ones) and removed the special-casing of users. This looks ready to fly to me.

Cool, those changes make sense and look good to me. Can we use the "skip original values access" option in the default implementation of getTranslationAccess() and avoid adding the new user handler?

Yes, definitely

Here's a new patch based on #13 which removes the user handler.

Thanks, committed the patch with a couple of small adjustments.

Cool, thanks! :-)