Contrib.social

Access Control with View Own Content / View Own Entity in Core

Open on Drupal.org →
Created on 28 October 2019, over 5 years ago
Updated 13 June 2024, 9 months ago

Hi,
Drupal has long been seriously lacking of 1 critical permission View Own Content in core. Without the said, we CANNOT even build a simple Ticketing Support System whereby each submitted ticket can only be accessed by the author and the assigned roles. How can this View Own permission be ignored as we do have the Edit Own permission in core ?

I've been relying on the Content Access Module for such a View Own permission and now the module seems dead with lots of unresolved issues. Frankly, many Access Control Modules of Drupal seem to have been Dead without further maintenance and development with the scariest wording "Use At Your Own Risk !" everywhere.

I hope that Drupal could add View Own Permission for All Entities in core instead of depending on lots of contrib modules which ended up in half-baked / unmaintained status.

Being highly secure and fine-grained in permissions is the motto of Drupal and wish that Drupal could further improve its Core Permissions. Thank you all for the hard work.

Feature request
Status

Closed: duplicate

Component

Idea

Created by

paulwdru

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    🇩🇪Germany Anybody Porta Westfalica

    It's not only missing "View own" but also "View" permission per bundle type. And yes, both is useful for

    Currently there are some contrib modules implementing this, but it should be in core, definitely.

  • Status changed to Postponed: needs info 9 months ago
  • Comment 9 months ago
    🇦🇺Australia pameeela

    OP says contrib is lacking for this kind of module, but that seems to have changed since? The modules listed in #5 all have stable releases for D10.

    What is the specific case for including this in core if it is satisfactorily handled in contrib?

  • Comment 9 months ago
    🇦🇺Australia pameeela

    Just adding some stats to speak to the popularity of this feature:
    entity_bundle_permissions: 70 sites
    node_view_permissions: 9,269 sites
    entity_type_permissions: 25 sites
    content_access: 11,114 (D8+ only)

  • Comment 9 months ago
    🇩🇪Germany Anybody Porta Westfalica

    @pameeela thank you for your feedback! I think there are many facets to this issue.
    From the technical perspective, I think it's important that Drupal offers a stable functionality for this typical "own" permission requirement. If I remember correctly, there are quite some flaws with the current implementations, at least outside of nodes (but I'm not sure).

    So if Drupal Core allows to cleanly and stable solve this in contrib, that might be enough indeed! (This should be checked before closing this issue).

    I *personally* think Drupal Core as a technical framework should cover / provide such "natural" things in core for entities (like the related issues are tend to). And as a developer again and again ran into situations where I was wondering about such missing pieces, especially in technical-focused Drupal projects, but I'm not the person to decide what Core should do or not.

    TL;DR: I think it would make much sense to include this as part of 📌 Introduce entity permission providers Needs work (and eventually close this as duplicate then), but the Framework Managers should decide.

  • Comment 9 months ago
    🇦🇺Australia pameeela

    I think that the module usage suggests this isn't *that* widely needed as a feature. For my part, I have needed it on occasion but it is far from an 80% use case for me.

    So apart from it being used on most sites, another reason to add it to core would be to provide (or just unblock) extensibility for contrib. So if contrib can already do it, then it might be better off there? Because having it in contrib allows for faster innovation and more variety.

  • Comment 9 months ago
    🇩🇪Germany Anybody Porta Westfalica

    Yes exactly! My favourite would be to have it *offered* by the entity permission providers, but perhaps not enabled by default, so it can be used for entity types where needed and that doesn't have to happen in UI, but can happen in contrib / custom code! :)
    Guess that would be a perfect framework support.

  • Comment 9 months ago
    🇦🇺Australia pameeela

    So are there specific changes you would propose to core to get to the point you are after? If so, a good next step would be to update this issue summary based on that, using the template suggested on the project page . The current summary (and its tone) are not super helpful along those lines.

  • Comment 9 months ago
    🇩🇪Germany Anybody Porta Westfalica

    Thanks @pameeela, I just had a look at the related issue 📌 Introduce entity permission providers Needs work
    and found these lines in the code:
    https://git.drupalcode.org/project/drupal/-/merge_requests/2912/diffs#10...

    So I think everything requested here is already existing over there. So I'd indeed suggest to close this as duplicate and proceed in the other issue.

  • Status changed to Closed: duplicate 9 months ago
  • Comment 9 months ago
    🇦🇺Australia pameeela

    Great, thank you for confirming!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024