Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Same sort of problem as #2029319: ConfigEntityListController::getOperations adds 'enable' and 'disable' without checking access.
If using EntityFormController as the entity form controller, the form shown has a Delete button even if the entity access controller's checkAccess() doesn't allow delete operation.
Comment | File | Size | Author |
---|---|---|---|
#37 | drupal8-2084323-37-interdiff.txt | 1.04 KB | Berdir |
#37 | drupal8-2084323-37.patch | 8.93 KB | Berdir |
#35 | drupal8-2084323-35.patch | 10.34 KB | Berdir |
#29 | drupal8-2084323-29.patch | 10.34 KB | Berdir |
#25 | drupal8-2084323-25.patch | 10.4 KB | Jalandhar |
Comments
Comment #1
BerdirShould be as easy as adding #access => $entity->access('delete') for the delete form submit element?
Comment #2
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedFirst drafted patch.
Comment #3
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedComment #4
BerdirYou should be able to use $this->entity, this is already done in actionsElement()
Comment #5
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedOhhhh....Thanks Berdir for comment. Updated patch as per comment.
Comment #6
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedComment #9
sandipmkhairnar CreditAttribution: sandipmkhairnar commented5: set-delete-access-2084323-5.patch queued for re-testing.
Comment #10
Berdir$this->entity->access(), not $this->access()
Comment #13
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedupdated patch.
Comment #14
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedComment #16
sandipmkhairnar CreditAttribution: sandipmkhairnar commentedComment #17
BerdirAwww, bad contact message entity :)
Comment #18
tim.plunkettIn actionsElement, we have
Either that should be moved here, or this should be moved there. But not both please.
Comment #19
BerdirYep, makes sense.
Comment #20
XanoDiscussed this change with Berdir and it makes sense to let the entity access controller deny delete access in general if the entity is new.
Comment #21
tim.plunkettThis should have been reproducible with NodeType, except it explicitly added checks in NodeTypeFormController::actions().
I think we can delete that line, and write a test for it that fails without this fix.
Comment #22
BerdirAh, great hint, made me go through our form controllers and it turns out that a ton of them manually check delete access, so a lot of custom overrides that we can remove.
A number of them remove the delete button unconditionally, like date format edit and actions edit, didn't touch them.
Also added the test coverage, found a place where it nicely fit in I think.
Comment #23
tim.plunkettBeautiful! Thanks.
Comment #25
Jalandhar CreditAttribution: Jalandhar commentedUpdating the patch with re-roll. Please review.
Comment #26
BerdirRe-roll looks good, thanks.
Comment #27
catch25: drupal8-2084323-25.patch queued for re-testing.
Comment #29
Berdirgit rebase re-roll, shortcut files were moved.
Comment #31
Berdir29: drupal8-2084323-29.patch queued for re-testing.
Comment #32
catchBack to green.
Comment #33
BerdirYes, previous fail was a bot hickup (the "failed to create directory" kind of fails)
Comment #35
BerdirRe-roll, but let's get #2238077: Rename EntityFormController to EntityForm in first.
Note that delete is now a link, but we can still control access for the link...
Comment #37
BerdirRe-roll, fixed the node type tests now that the label is different and is a link. Reverted changes to ProfileForm (not in interdiff), #216064: Entity form "Delete" button triggers server-side + HTML5 form validation; change "Delete" button to a link messed that up, as it is now no longer there by default as it's only added if there's a delete-form, so it's defines a new form element. Opened #2250377: ProfileForm::actions() defines new delete element instead of altering it as it expects.
Comment #38
XanoLooks good.
Comment #39
tim.plunkettComment #40
catchCommitted/pushed to 8.x, thanks!