Contrib.social

'roles' field on User entity is never accessible: make accessible to admin users

Open on Drupal.org โ†’
Created on 7 February 2019, almost 6 years ago
Updated 2 February 2025, 2 days ago

Hello,

I am using graphql with Drupal, but I think this issue might be a generic drupal core issue so opening it up in here. Currently when accessing the user roles via an endpoint (graphql, json api or REST I think ) the user's roles is always set to access denied and return empty if the user is not an administrator.

It might be a similar situation to https://www.drupal.org/project/drupal/issues/3026264 โ†’ (?). With some pointers I would be able to get a patch started here and kick off the conversation.

I guess it would be ok to allow users to access their own roles by default, maybe accessing other user's roles could already be classified as an access violation of some sort.

Looking forward for some feedback! thanks! ) Cheers

โœจ Feature request
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component

user.module

Created by

๐Ÿ‡ต๐Ÿ‡นPortugal joaogarin

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Comment 2 days ago โ†’
    ๐Ÿ‡ช๐Ÿ‡ธSpain vidorado Pamplona (Navarra)
  • @vidorado opened merge request.
  • Comment 1 day ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Believe this will need an upgrade path + update test. Currently with this change think you currently have access to you would have it ripped away. Believe proper approach would be that things shouldn't change for existing users but can be configured to take away after the fact by the site admin.

  • Comment 1 day ago โ†’
    ๐Ÿ‡ช๐Ÿ‡ธSpain vidorado Pamplona (Navarra)

    @smustgrave I donโ€™t see how users could suddenly lose their access. The only users who had view+edit access to roles in user edit forms were those with the "Administer permissions" permission, and that remains unchanged. As far as I understand, the only addition in this change is a read-only view of one's own roles for users with "View own account details" permission.

    Regarding REST APIs, weโ€™ve only added an AccessResult::allowed() when the user has "View own account details", while keeping AccessResult::neutral() otherwise, which aligns with the previous behavior.

    Could you clarify where exactly you see a potential permission loss?

    Thanks!

  • Comment 1 day ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    You're adding a new permission that no one will have

  • Comment 1 day ago โ†’
    ๐Ÿ‡ช๐Ÿ‡ธSpain vidorado Pamplona (Navarra)

    So, are you suggesting that the "View own account details" permission should be granted to authenticated users by default? That could make sense, but it would also mean that users would suddenly see their roles appearing in their own user edit forms.

    If thatโ€™s the intended behavior, an upgrade path should be implemented. However, Iโ€™m not entirely sure if that would be the best approach. What do you think?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024