Validate access on each submitted entity for bulk action

Author: akasake

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.9.5] - 2022-1-11
+### Fixed
+- Validate access on each submitted entity for bulk action
+
 ## [1.9.4] - 2021-12-16
 ### Fixed
 - Fix PHP 8.1 warnings

src/Form/BulkActionForm.php

@@ -140,6 +140,21 @@ public function validateForm(array &$form, FormStateInterface $formState): void
             $subFormState = SubformState::createForSubform($form['configuration']['form'], $form, $formState);
             $entities = $this->getEntities($formState);
 
+            if ($action instanceof ActionInterface) {
+                foreach ($entities as $entity) {
+                    if (!$action->access($entity)) {
+                        $formState->setErrorByName(
+                            sprintf('%s:%s', $entity->getEntityTypeId(), $entity->bundle()),
+                            sprintf(
+                                '"%s" is not allowed in "%s" Bulk operation',
+                                $entity->label(),
+                                (string) ($action->getPluginDefinition()['label'] ?? $action->getPluginId())
+                            )
+                        );
+                    }
+                }
+            }
+
             if ($action instanceof PluginFormInterface) {
                 $action->validateConfigurationForm($form, $subFormState);
             }