fix(term): Restore term click and edit AJAX functionality
Closes #3505219
Merge request reports
Activity
added 1 commit
- d2af6077 - - Fixes AJAX functionality with media libraries
added 2 commits
reset approvals from @klausi by pushing to the branch
reset approvals from @klausi by pushing to the branch
added 1 commit
- 0948badc - Attach user permissions to drupalSettings for use in JavaScript to avoid...
added 1 commit
- b4c470cd - Only load the form if the user has permission to edit terms
added 1 commit
- 2ff19f72 - make sure that the deleteButton is only used if it exist
added 1 commit
- 9236b0ad - make sure that the deleteButton is only used if it exist
288 $form['load-term-data'] = [ 289 '#type' => 'textfield', 290 ]; 284 291 285 /** 286 * {@inheritdoc} 287 */ 288 public function taxonomyTermSubmitHandler(array &$form, FormStateInterface $form_state) { 289 $tid = $form_state->getValue(['search_terms']); 290 $url = Url::fromRoute('entity.taxonomy_term.edit_form', [ 291 'taxonomy_term' => $tid, 292 ]); 293 $form_state->setRedirectUrl($url); 292 // Attach user permissions to drupalSettings for use in JavaScript. 293 $form['#attached']['drupalSettings']['taxonomy_manager']['permissions'] = [ 294 'can_edit_terms' => $current_user->hasPermission('edit terms in ' . $taxonomy_vocabulary->id()), -
ah, I see that taxonomy manager checks
_entity_create_accessfor the overview page, which is a little bit wrong ... it should probably check term edit access.Not sure if this is worth reporting as security issue, I don't really care?
Anyway, we also need to check the permission "administer taxonomy" here to be in sync with taxonomy core.
-
Thank you, I fixed that! We do have some users who doesn't have permissions to edit a term but does have access to the taxonomy manager in order to use the tree to browse the terms in a vocabulary.
But something definitely doesn't seem right about the permissions. Like you said it uses _entity_create_access for the page but when it lazy loads the nested terms in the tree it uses the 'access taxonomy manager list' permissions that seems wrong to me.
changed this line in version 22 of the diff
89 89 _title: 'Edit taxonomy term' 90 90 requirements: 91 91 _taxonomy_manager_access_check: 'TRUE' 92 93 taxonomy_manager.term_form: 94 path: '/ajax/taxonomy_manager/term/{tid}/edit' 95 defaults: 96 _controller: '\Drupal\taxonomy_manager\Form\TaxonomyManagerForm::termDataCallback' 97 _title: '' changed this line in version 23 of the diff
reset approvals from @klausi by pushing to the branch
