Implement field permissions per-bundle (field instance)

I'm applying the patch from https://www.drupal.org/project/field_permissions/issues/2881776#comment-... ✨ Implement field permissions per-bundle (field instance) Needs work in a new merge request open here:

https://git.drupalcode.org/project/field_permissions/-/merge_requests/10...

It does two things.

1. Applies to the latest version of the 8.x-1.x branch.
2. Updates the referenced class to be Drupal\Core\Field\FieldConfigInterface instead of Drupal\field\FieldConfigInterface. The first locks us from altering permissions on fields defined using \Drupal\Core\Field\Entity\BaseFieldOverride (like the promoted field) which was technically possible with the entity-wide version of the module (although to get it to work with the UI, you needed something like https://www.drupal.org/project/base_field_override_ui → )

Let's see how tests go!

Ok, at this point the only test failing is related to the d7 -> d8+ field migration, which checks to make sure that the third-party settings on the FieldStorage match between the d7 and d8+ config. Since this patch changes where the third-party settings for this module live, pushing them onto the field config (field.field) level, it's a valid failure.

That migration process would need to be rewritten to move the settings onto the bundle level, and then this test would need to be updated.

Alternatively, if this is going onto an 8.x-2.x branch, I suppose we could say that branch doesn't support migration from d7, and drop both the migration and drop the test. If we find ourselves beyond end of life for D7 and this hasn't been merged into a 2.x branch, that is the easy solution.

Alternatively, if this is going onto an 8.x-2.x branch

I think this should go into a 2.x branch as it is a substantial change.

Can I suggest that if we're talking about a new 2.x branch that it might be worth rolling this and the following issue in together:

https://www.drupal.org/project/field_permissions/issues/3110867 →

The patch on that issue already uses patch #10 from this issue as a base.

I'm attaching a patch that is compatible with the latest dev release and contains a fix to this patch that fails if you're looking at the field in a view (which does not provide a bundle, core issue: https://www.drupal.org/project/drupal/issues/2898635 🐛 [PP-1] bundleFieldDefinitions() are not added in EntityViewsData Needs work ). This should fix https://www.drupal.org/project/field_permissions/issues/3373500 🐛 TypeError: Drupal\field_permissions\FieldPermissionsService::fieldGetPermissionType(): Argument #1 ($field) must be of type Drupal\field\FieldStorageConfigInterface Fixed if people are seeing it.

I'll try to get this merged into the new 2.x branch this week or next so we can stop with all the patching.

Patch reroll against 1.3.

And how about a reroll that doesn't cause whitescreens!

And another reroll that lets the field configuration page load.

Reroll diff.

I'm taking steps to move this issue onto the 8.x-2.x branch, which currently matches the 8.x-1.x branch. This per-bundle permissions feature will be the major difference between branches.

Attaching Snapshot PR of the latest version of the Merge Request by mariacha. works with the latest release and tested on D10.

Huh. The last patch doesn't apply in builds because it patches the info file and the info file has extra junk in it from automated D.O. packaging. Here's one usable for those cases.

I'm attaching the interdiff between 42 and 45 (ignoring the .info stuff). It's worth noting that the merge request is slightly different based on the need in https://www.drupal.org/project/field_permissions/issues/2881776#comment-... ✨ Implement field permissions per-bundle (field instance) Needs work .

It would be good to know if we are still trying to make the per-bundle option something a user can choose to configure. In the current patches all field permissions are per-bundle and none are per-entity.

Here's the interdiff.

Here's a link to this issue's previous comment with helpful d.o markup (so we know the comment #): #2881776-35: Implement field permissions per-bundle (field instance) →

I first tried the patch: 2881776-packaged-45.patch to the latest stable version Field Permissions: 8.x-1.3 and it applied cleanly. However, I get the following error when trying to save a new field permission:

The website encountered an unexpected error. Try again later.

RuntimeException: Adding non-existent permissions to a role is not allowed. The incorrect permissions are "create field_sidebar_sections", "edit own field_sidebar_sections", "view own field_sidebar_sections". in Drupal\user\Entity\Role->calculateDependencies() (line 207 of core/modules/user/src/Entity/Role.php).
Drupal\Core\Config\Entity\ConfigEntityBase->preSave(Object) (Line: 179)
Drupal\user\Entity\Role->preSave(Object) (Line: 528)
Drupal\Core\Entity\EntityStorageBase->doPreSave(Object) (Line: 483)
Drupal\Core\Entity\EntityStorageBase->save(Object) (Line: 257)
Drupal\Core\Config\Entity\ConfigEntityStorage->save(Object) (Line: 352)
Drupal\Core\Entity\EntityBase->save() (Line: 609)
Drupal\Core\Config\Entity\ConfigEntityBase->save() (Line: 96)
Drupal\field_permissions\Plugin\FieldPermissionType\CustomAccess->submitAdminForm(Array, Object, Object) (Line: 154)
field_permission_field_config_edit_form_submit(Array, Object)
call_user_func_array('field_permission_field_config_edit_form_submit', Array) (Line: 129)
Drupal\Core\Form\FormSubmitter->executeSubmitHandlers(Array, Object) (Line: 67)
Drupal\Core\Form\FormSubmitter->doSubmitForm(Array, Object) (Line: 597)
Drupal\Core\Form\FormBuilder->processForm('field_config_edit_form', Array, Object) (Line: 325)
Drupal\Core\Form\FormBuilder->buildForm(Object, Object) (Line: 73)
Drupal\Core\Controller\FormController->getContentResult(Object, Object)
call_user_func_array(Array, Array) (Line: 123)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 627)
Drupal\Core\Render\Renderer->executeInRenderContext(Object, Object) (Line: 124)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext(Array, Array) (Line: 97)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 181)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 76)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 58)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 28)
Drupal\Core\StackMiddleware\ContentLength->handle(Object, 1, 1) (Line: 32)
Drupal\big_pipe\StackMiddleware\ContentLength->handle(Object, 1, 1) (Line: 106)
Drupal\page_cache\StackMiddleware\PageCache->pass(Object, 1, 1) (Line: 85)
Drupal\page_cache\StackMiddleware\PageCache->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 36)
Drupal\Core\StackMiddleware\AjaxPageState->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\StackedHttpKernel->handle(Object, 1, 1) (Line: 704)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)

I then installed the 8.x-2.x-dev module version and tried to apply the patch: 2881776-packaged-45.patch. It couldn't apply.

@gcb is patch in #47 actually working for you? Looking at field_permissions_entity_field_access():

-  if (!$field_definition->isDisplayConfigurable($context) || empty($items) || !is_a($field_definition->getFieldStorageDefinition(), '\Drupal\field\FieldStorageConfigInterface')) {
+  if (!$field_definition->isDisplayConfigurable($context) || empty($items) || !is_a($field_definition->getFieldStorageDefinition(), '\Drupal\Core\Field\FieldConfigInterface') || !$field_definition->getTargetBundle()) {

I don't understand how $field_definition->getFieldStorageDefinition() will return \Drupal\Core\Field\FieldConfigInterface.

This patch is the fixed version of patch from #47 (with \Drupal\field\FieldStorageConfigInterface instead of \Drupal\Core\Field\FieldConfigInterface)

Similar to @sassafrass in comment #52 ✨ Implement field permissions per-bundle (field instance) Needs work , I tried the patch 2881776-55--packaged-45-fixed.patch in the latest 1.3 version. It applied, but then when running the database updates, I'm getting:

  Module              Update ID   Type            Description                                                     
 ------------------- ----------- --------------- ---------------------------------------------------------------- 
  field_permissions   8001        hook_update_n   8001 - Migrates existing third party settings and permissions.  
 ------------------- ----------- --------------- ---------------------------------------------------------------- 
 // Do you wish to run the specified pending updates?: yes.                                                             

>  [notice] Update started: field_permissions_update_8001
>  [error]  Adding non-existent permissions to a role is not allowed. The incorrect permissions are "create field_1", "edit field_2", "edit field_3", "view field_4", ( ...)
>  [error]  Update failed: field_permissions_update_8001 
 [error]  Update aborted by: field_permissions_update_8001 
 [error]  Finished performing updates. 

I also tried with the the 8.x-2.x-dev module version and the patch didn't apply.

Moving back to 8.x-1.x for now, in hopes we can redo the 2.x branch correctly (semantic versioning)

Alright, I've attempted to merge 8.x-1.4 into the work on this branch. There were a LOT of conflicts. I believe my branch is functioning as desired, but I have failed to get the automated tests fixed. I'm not terribly familiar with how these tests work, so I'd love some help getting those running on my branch.

The reason why #55 worked for me and some others seems to be that we still didn't upgrade to Drupal 10 🙈. Upgrading to Drupal 10 I found the note in upgrade status that all permissions in a user role must be defined in a module.permissions.yml file or a permissions callback, linking to the CR Permissions must exist → .

Copy of patch from https://git.drupalcode.org/project/field_permissions/-/merge_requests/34... (Merge request !34) attached, to be used safely with composer".

The new MR34 did not merge all 8.x-1.x changes correctly. I updated the original MR10. The automated tests are green again.

idebr → changed the visibility of the branch 2881776-consider-implementing-per-bundle_8x-14 to hidden.