entity_access calls do not send the provided bundle parameter making, f.e fieldable_panels_pane to return FALSE even if the user has access to create content for a specific bundle.

CommentFileSizeAuthor
#7 references_dialog-1856978-7.patch1.14 KBjaydub
#4 references_dialog-1856978-4.patch1.18 KBdevuo
#2 references_dialog-1856978-2.patch832 bytesdevuo
references-dialog-bundle-entity_access.patch804 bytescscit
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

rogical’s picture

rogical CreditAttribution: rogical commented
Status: Active » Needs review
devuo’s picture

devuo CreditAttribution: devuo commented
FileSize
references_dialog-1856978-2.patch832 bytes

entity_access() expects the third parameter to be an entity object. This is not always true for references_dialog as I was having the following notices:

Notice: Trying to get property of non-object in entity_metadata_no_hook_node_access() (line 610 of sites/all/modules/entity/modules/callbacks.inc).
en (line 611 of sites/all/modules/entity/modules/callbacks.inc).
Notice: Trying to get property of non-object in entity_metadata_no_hook_node_access() (line 611 of sites/all/modules/entity/modules/callbacks.inc).

The attached patch solves this issue.

devuo’s picture

devuo CreditAttribution: devuo commented

Actually, scratch that. While this "solves" the issue, the patch in #2 bypasses per bundle access control.

devuo’s picture

devuo CreditAttribution: devuo commented
FileSize
references_dialog-1856978-4.patch1.18 KB

Given that neither Entity API and drupal provide a generic method to check access, per bundle, for create operations, this has to be implemented on a case by case basis. The attached patch does just that for node entities. We should, however, provide an hook for modules wishing to extend this functionality for their own entities.

rogical’s picture

rogical CreditAttribution: rogical commented
Status: Needs review » Reviewed & tested by the community

Yes, here we need a hook, for now, this patch is ok.

rogical’s picture

rogical CreditAttribution: rogical commented

Yes, here we need a hook, for now, this patch is ok.

jaydub’s picture

jaydub CreditAttribution: jaydub commented
Version: 7.x-1.0-alpha4 » 7.x-1.x-dev
Status: Reviewed & tested by the community » Needs review
FileSize
references_dialog-1856978-7.patch1.14 KB

Patch doesn't apply against HEAD so rerolled for 1.x-dev version.

rogical’s picture

rogical CreditAttribution: rogical commented
Status: Needs review » Fixed

committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

manuelBS’s picture

manuelBS CreditAttribution: manuelBS commented

I am not able to apply the patch https://drupal.org/files/references_dialog-1856978-7.patch at all, please see http://screencast.com/t/4Lsh9ppQKm
Is there a patch for the alpha4 version or when will a new module version be released that includes the patch?

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

I started to write a patch for this before realizing it was already fixed in the dev version... For what it's worth, my approach would have continued to use entity_access() in all cases:

-  // We use entity_access here. We provide the bundle if this is a node type,
-  // since node_access expects that to be passed to it as the entity when you
-  // run node_access('create')
-  if (entity_access('create', $entity_type, $entity_type == 'node' ? $bundle : NULL) &&
+  // We use entity_access here. We provide a stub entity containing the bundle
+  // if this is a node type, since entity_access() requires that.
+  $entity = $entity_type == 'node' ? entity_create('node', array('type' => $bundle)) : NULL;
+  if (entity_access('create', $entity_type, $entity) &&
     $path = references_dialog_get_admin_path($entity_type, 'add', $bundle)) {

But it requires fixing #1780646: entity_access() fails to check node type specific create access in the Entity module in order to work.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

@manuelBS, the patch in #4 should work for alpha4.

manuelBS’s picture

manuelBS CreditAttribution: manuelBS commented

I see thanks for this hint. Now works for me, too.