Node access default grant behavior is not clear

Created on 17 April 2015, about 10 years ago

Updated 19 March 2025, about 2 months ago

Problem/Motivation

Followup from #2461049: Node module permissions are broken if hook_node_grants is implemented → .

The node grant/access record system has a behavior where if no hook_node_grant() implementations are defined and therefore no modules provide node access records for specific nodes, a global "view all grant" is written instead. Having this default behavior buried inside the storage is already confusing, but the documentation for it is already pretty thin. The NodeGrantDatabaseStorageInterface::writeDefault()method docs say:

Creates the default node access grant entry.

...So that's nice but what is the "default node access grant entry"?
There is also no documentation inside the main implementation of NodeGrantDatabaseStorage::writeDefault() about what the "default grant" is (i.e., fall back to a view access grant for all).

Also see

Furthermore, none of the classes and interfaces involved in node access belong to the node access documentation topic, so the default behavior is not discoverable or clear in the "big picture" there. This is important because "view access for all but no edit nor delete access" is only the default behavior when (a) the "bypass node access" permission is not granted (b) the "view published content" permission is granted (c) no hook_entity_access() or hook_node_access() implementations already allowed or denied access for the operation (d) the node is not unpublished.

Finally, this logic seems somewhat like it should be part of the node access control handler (as a conceptual default behavior), and the storage implementation should just be... a storage implementation. #2461049: Node module permissions are broken if hook_node_grants is implemented → adds the logic as actual code, but then it's in two places. Maybe there should be a grantDefaultAccess() method or something that we factor out?

Proposed resolution

Improve the NodeGrantDatabaseStorage::writeDefault() method docblock and the NodeAccessControlHandlerInterface::writeDefaultGrant() documentation.
Add inline documentation to NodeGrantDatabaseStorage::writeDefault() explaining what logic the storage implementation is implementing.
Clarify the default grant behavior in the node access group documentation.
Decide whether we should factor out the logic of the default behavior into its own method (or something).

Remaining tasks

TBD

User interface changes

N/A

API changes

TBD

Postponed until

#2461049: Node module permissions are broken if hook_node_grants is implemented →

📌 Task

Status

Active

Version

11.0 🔥

Component

node system

Created by

🇺🇸United States xjm

Live updates comments and jobs are added and updated live.

Incomplete comments

Merge Requests

!11918Node access default grant behavior is not clear
Open
🇦🇺Australia acbramley
updated 11 days ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 2 months ago →
🇦🇺Australia acbramley
Still seems to be applicable.
Merge request !11918Issue #2473093: Improve default grant documentation → (Open) created by acbramley
Comment 11 days ago →
🇦🇺Australia acbramley
Added some basic context to the NodeGrantDatabaseStorageInterface::writeDefault doc block, and linked to that from NodeAccessControlHandlerInterface::writeDefaultGrant (personally I'd love to remove this duplication but that's for another issue).

I don't think we need inline documentation as it should be covered by the doc block.

Last bit I'm not sure on is this:

Clarify the default grant behavior in the node access group documentation.

Where is the node access group documentation? Maybe that no longer exists. We have quite a lot of docs at the top of https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/node/..., maybe that's sufficient?
Pipeline finished with Success
11 days ago
Total: 1237s
#479822

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024