Open lukewertz opened 9 years ago
Just hacking at this to see how high-level I can go with a fix, I can validate that the following code gives me what I'm wanting:
/**
* {@inheritdoc}
*/
public function createEntity() {
$entity_info = $this->getEntityInfo();
$bundle_key = $entity_info['entity keys']['bundle'];
$values = $bundle_key ? array($bundle_key => $this->bundle) : array();
if (empty($values['uid']) && $this->getAccount()) {
$values['uid'] = $this->getAccount()->uid;
}
$entity = entity_create($this->entityType, $values);
if ($this->checkEntityAccess('create', $this->entityType, $entity) === FALSE) {
// User does not have access to create entity.
$params = array('@resource' => $this->getPluginKey('label'));
throw new RestfulForbiddenException(format_string('You do not have access to create a new @resource resource.', $params));
}
$wrapper = entity_metadata_wrapper($this->entityType, $entity);
$this->setPropertyValues($wrapper);
return array($this->viewEntity($wrapper->getIdentifier()));
}
This issue should be fixed by https://github.com/RESTful-Drupal/restful/pull/749
Using content access, I have a node type (notes) that users are allowed to created/edit/delete only their own nodes.
When RESTful's
createEntity()
method is called, the stub entity is created without the account information, which means that although the user is given access to create the entity, because the entity isn't (yet) owned by the user, no properties/fields can be set.Allow me to demonstrate this with the following request:
If I debug the output of
entity_access
(here), I'll see the following response:When RESTful creates the entity here, there is no
uid
property on the element, therefore when the entity_access check is done for permission on the user account toupdate
the in-memory entity (158 in my example), entity_access denies the$op
because it cannot validate that the$entity
is owned by the user making the request.I would propose that when a stub entity is created, the
uid
property should be attached before any other access checks happen.