Improve permissions for content box entities #14
Description
Status quo:
- Currently in order to "view" the content_box entities embedded on a page, one has to have "View" access on the entity bundle.
- In order to "add" content_box entities embedded on a page, one has to have "Add" access on the entity bundle
- In order to "remove" content_box entities embedded on a page, one has to have "Delete" access on the entity bundle.
Problems arising:
- As a consequence of 1. Anonymous can see any content_box by guessing the url.
- As a consequence of 2. anyone can edit other user's
Todos:
- View (any) {Bundle} Entities in full view mode -> separate "View embedded entity" permission (view on node/123 if user can view node/123) from "View full entity" (ie. /content_box/dynamic_content/1234)
- View own { Bundle} Entities in full view mode -> scope this more tightly?
- Edit/Delete own {Bundle} Entities -> scope this more tightly?
- Provide a simple "content_box_access" hook analogous to "node_access" behavior?