Access check in ApiAutoSaveController::post() should be performed earlier

Feliksas Mazeikisrequested to merge
issue/canvas-3591736:3591736-issue-branch into 1.x

With the changes in !1271 (merged) the access check happens too late in the handling of auto-save items publishing request.

If a user submits a list to ApiAutoSaveController::post() of entities they have no access to, the entities get filtered out in ApiAutoSaveController::getPublishableAutoSaves() via:

      $access = $item['entity']->access('view label', return_as_object: TRUE);
      ...
      return $access->isAllowed() && ($item['is_default_translation'] ?? TRUE);

This results in a s set of "publishable auto-save items" that misses the entities the user has submitted. This then fails validation in ApiAutoSaveController::validateExpectedAutoSaves() with the HTTP 409 response and error message of An unexpected item was found in the publish request. Please refresh your page and try again.

The check performing whether the user actually has permissions to perform update operation on the entities in the request is never reached (ApiAutoSaveController lines 346-371) and therefore no expected CacheableAccessDeniedHttpException response returned.

Testing instructions

  • First step for someone to test the changes in this MR

Closes #3591736

Merge request reports