Problem/Motivation
Bulk operations lists all available actions for the entity without checking access to that action.
web/core/modules/system/src/Plugin/views/field/BulkForm.php:
/**
* {@inheritdoc}
*/
public function init(ViewExecutable $view, DisplayPluginBase $display, array &$options = NULL) {
parent::init($view, $display, $options);
$entity_type = $this->getEntityType();
// Filter the actions to only include those for this entity type.
$this->actions = array_filter($this->actionStorage->loadMultiple(), function ($action) use ($entity_type) {
return $action->getType() == $entity_type;
});
}This appears to be because the action access is tied to access for the particular entity but not whether or not the user has access to do that type of action in general or not. ActionInterface::access() described here.
For example:
- Create a new role 'editor'
- Grant editor role 'view user information' but not 'administer users'
- Change /admin/people view access to 'view user information'
- As an editor, view /admin/people and all actions like cancel user accounts are listed as bulk action options
Proposed resolution
Creating a sample entity of the current type and passing it to the action::access() method to determine whether to show it in the bulk actions. I am not sure if creating a sample entity is a feasible approach.
Alternatively, we could provide a method like bulkAccess() on the action and allow the action to define when it is appropriate to be shown.
Or we could make the assumption that access to the confirm route means show it as a bulk action since we have this information:
@Action(
id = "user_cancel_user_action",
label = @Translation("Cancel the selected user accounts"),
type = "user",
confirm_form_route_name = "user.multiple_cancel_confirm"
)Remaining tasks
Decide how to approach this.
User interface changes
Only show bulk action operations that the user has access to.
API changes
None (depending on route chosen to solve this).
Data model changes
None.