Contrib.social

RoleAccessCheck should provide a reason when denying access

Open on Drupal.org โ†’
Created on 5 October 2020, almost 5 years ago
Updated 20 March 2023, over 2 years ago

Problem/Motivation

\Drupal\user\Access\RoleAccessCheck does not provide a reason when it doesn't allow access

Steps to reproduce

Create a route that uses \Drupal\user\Access\RoleAccessCheck for access checking.
Access as a user without that role.
No information is provided in the logs

Proposed resolution

Add a reason when not providing access in \Drupal\user\Access\RoleAccessCheck

Remaining tasks

Patch
Tests

User interface changes

API changes

Data model changes

Release notes snippet

Original report

We have a custom module with a route that uses role-based access requirements. This is an internal-use site and not for public access. The basic site setting for the defaut front page is set to /dashboard.

The error when using role-based access does not indicate the reason.

After changing to permission based for a test, the reason is reported.

I can understand attempted access to a restricted path needs to be logged, but is there a way to exclude or filter out a specific route? We get a lot of users hitting / or /dashboard that are not logged in.

๐Ÿ“Œ Task
Status

Needs work

Version

10.1 โœจ

Component
Routingย  โ†’

Last updated 44 minutes ago

Created by

๐Ÿ‡จ๐Ÿ‡ฆCanada blainelang

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 2 years ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ†’ as a guide.

    MR should be updated to 10.1
    There are also a number of open threads on 1407 that should be addressed

    This seems like a super helpful feature. Is there any security implication?

  • Comment over 2 years ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance andypost

    Needs new patch or maybe @amjad1233 can change target branch to 10.1.x

  • Comment over 2 years ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia amjad1233 Brisbane

    Great suggestion let me get my hands dirty in this one.

  • Comment over 2 years ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Around to review again if needed. Just wanted to double check that thereโ€™s no security issue announcing permissions?

  • Status changed to Needs review over 2 years ago
  • Comment over 2 years ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance andypost

    re-roll and fix for #19

    Open questions are

    1. is secure exposing roles machine names
    2. suggestion to add protected method to generate the reason
  • Comment over 2 years ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia amjad1233 Brisbane

    @andypost Thanks for the re-roll. ๐Ÿ’ช๐Ÿ’ช๐Ÿ’ช

    I tried and patch applies cleanly and site also builds up fine.

    patching file 'core/modules/user/src/Access/RoleAccessCheck.php'
patching file 'core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php'

    Regarding Question 1 : I believe we are doing that already at certain places, but I agree with hiding as much as we can. With that said, I will defer question to @larowlan.

    Regarding Question 2: I am not sure if this class will only be extended or there will be places where we create new instance of the class... In the later case Protected would fail. I think we should crack this one in ๐Ÿ“Œ Deprecate empty AccessInterface and remove usages Needs work . May be we explicitly define it's signature in interface.

  • Status changed to Needs work over 2 years ago
  • Comment over 2 years ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    1) is secure exposing roles machine names

    I think we'd need to load the role and call $role->access('view label') for each one

    2) I still like adding a method to simplify the complexity here, nested if/else can be removed with early returns in a new method

  • Comment over 2 years ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10
    +++ b/core/modules/user/src/Access/RoleAccessCheck.php
@@ -44,10 +45,37 @@ public function access(Route $route, AccountInterface $account) {
+    else {
+      return sprintf('One of the %s %s %s roles are required', implode(', ', $roles), $condition, $last);

    No need for else here, as we return above, even more simplification from the new method ๐Ÿ’ช

    I looked into the permissions question and roles require 'administer permissions' to view their labels, which we're not going to grant here, obviously.

    I'll ask around

  • Comment over 2 years ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia anchal_gupta

    I have uploaded the patch
    as per #30 comment.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024