Issue #3586311: Gate context item render on access('view') in usage record page.

Description

AiContextUsageRecordController rendered the full content of the referenced context item and its label via toLink() without checking $context_item->access('view'). Since the route only requires the view ai context usage permission, a user with that permission alone could view unpublished context items they would not otherwise have access to.

Changes

  • Summary row: Wrapped toLink() with a $context_item->access('view') check. When access is denied, the controller now displays the fallback text Context item @id (no access), matching the existing pattern used for the target entity in the same controller.

  • Content section: Added the same $context_item->access('view') guard to prevent rendering the details block when the current user does not have permission to view the context item.

  • Tests: Added AiContextUsageRecordAccessTest with two functional test cases:

    • Unpublished item: Verifies that a user with only the view ai context usage permission sees the fallback text and cannot see the context item label or content.
    • Published item: Verifies that an administrator with the appropriate permissions can view both the context item label and the content section as expected.

Checklist

  • I have updated the MR title to use format: Issue #1234: My issue title.
  • I have updated the MR description to include: Closes #1234
  • I have performed a self-review of my own code
  • I have added or updated tests, or explained in the description why this change is not covered by tests
  • I have updated documentation for any new or changed functionality
  • I have written testing instructions and verified them locally
  • I have noted any required post-merge steps (config imports, cache rebuilds, manual changes)
  • This MR contains no breaking API or hook changes, or they are explicitly documented in the description

AI Compliance

Note

Check the one that best describes your usage, or leave all unchecked if AI was not significantly used.

  • AI Assisted Code
    Mainly written by a human; AI used for autocomplete or partial generation under full human supervision.

  • AI Generated Code
    Mainly generated by AI, reviewed and approved by a human before this MR was created.

  • Vibe Coded
    Generated by AI and only functionally reviewed before this MR was created.

Closes #3586311

Edited by Pravesh Poonia

Merge request reports

Loading