Problem/Motivation
The comment module comes with a CommentAccessControlHandler which is not really used on crucial places. Instead of using this handler, there are dozens of places, where the permissions provided by the comment module are checked directly (e.g. post comment permission checks instead of $entity->access('create') or access comments permission checks instead of $entity->access('view')).
For example, the $entity->access('create') access check is only used during comment link generation, but not for the comment form itself.
Due to this, it is currently impossible to create a custom access control handler for comment entities, as it would not be used where necessary. When reading through the code, you can also see there is a lot of access-related duplicate code (because the permission checks duplicate the access checks of the access control handler).
These changes will affect other issues as well, when those deal with comment access/permissions, but they are very important to get the comment entity access handling correct.
Proposed resolution
- Scan through the code and eliminate all permission checks with proper
$entity->access()checks. Search for the following permissions:- access comments
- post comments
- edit own comments
- If possible, the commenting status of the parent ID should be taken into account in the access control handler checks. As this status flag affects the entity access for certain operations, its checks should also be centralized in the access control handler
- Comment-related tests should still work as before, because only the access checking behavior is changed, but not the access requirements themselves
Remaining tasks
- Create a patch
User interface changes
None.
API changes
None.
Data model changes
None.