Problem/Motivation
Currently users have to be granted permission to update all events displayed on the calendar or none at all. I think fullcalendar drap and drop updates should respect all entity permissions, eg. 'edit own content'. Bypassing these permissions really limits the use of drag and drop updating in many use cases.
Proposed resolution
Added an entity_access() check to fullcalendar_update and return a custom message to be displayed in fullcalendar-status div if it fails.
Remaining tasks
Though a separate and mutually exclusive issue, the functionality proposed in #1938350: Create a hook to validate/abort/alter events updated via ajax & allow return of basic status to fullcalendar display. would enhance this solution.
User interface changes
New message shown to calendar users on entity_access() fail.
API changes
None.
Original report by [username]
N/A
Comment | File | Size | Author |
---|---|---|---|
#1 | fullcalendar-add-entity-access-check-1938364-1.patch | 955 bytes | slcp |
Comments
Comment #1
slcp CreditAttribution: slcp commentedComment #2
slcp CreditAttribution: slcp commentedJust seen: #1842550: _fullcalendar_update_access() expects entity (object), receives entity id (string) as menu access callback
I should probably be using _fullcalendar_update_access() here instead. Also remembered that entity is not in core anyway...roll on D8 :-)
Will remake this patch in the next couple of days.
Comment #3
slcp CreditAttribution: slcp commentedKinda misunderstood the access checks already taking place, not quite sure how I was reading them. Closed this as a duplicate of #1842550: _fullcalendar_update_access() expects entity (object), receives entity id (string) as menu access callback
Comment #4
slcp CreditAttribution: slcp commented