RoleAccessCheck should provide a reason when denying access

Created on 5 October 2020, about 4 years ago
Updated 20 March 2023, almost 2 years ago

Problem/Motivation

\Drupal\user\Access\RoleAccessCheck does not provide a reason when it doesn't allow access

Steps to reproduce

Create a route that uses \Drupal\user\Access\RoleAccessCheck for access checking.
Access as a user without that role.
No information is provided in the logs

Proposed resolution

Add a reason when not providing access in \Drupal\user\Access\RoleAccessCheck

Remaining tasks

Patch
Tests

User interface changes

API changes

Data model changes

Release notes snippet

Original report

We have a custom module with a route that uses role-based access requirements. This is an internal-use site and not for public access. The basic site setting for the defaut front page is set to /dashboard.

The error when using role-based access does not indicate the reason.

After changing to permission based for a test, the reason is reported.

I can understand attempted access to a restricted path needs to be logged, but is there a way to exclude or filter out a specific route? We get a lot of users hitting / or /dashboard that are not logged in.

๐Ÿ“Œ Task
Status

Needs work

Version

10.1 โœจ

Component
Routingย  โ†’

Last updated 3 days ago

Created by

๐Ÿ‡จ๐Ÿ‡ฆCanada blainelang

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ†’ as a guide.

    MR should be updated to 10.1
    There are also a number of open threads on 1407 that should be addressed

    This seems like a super helpful feature. Is there any security implication?

  • ๐Ÿ‡ซ๐Ÿ‡ทFrance andypost

    Needs new patch or maybe @amjad1233 can change target branch to 10.1.x

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia amjad1233 Brisbane

    Great suggestion let me get my hands dirty in this one.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Around to review again if needed. Just wanted to double check that thereโ€™s no security issue announcing permissions?

  • Status changed to Needs review almost 2 years ago
  • ๐Ÿ‡ซ๐Ÿ‡ทFrance andypost

    re-roll and fix for #19

    Open questions are

    1. is secure exposing roles machine names
    2. suggestion to add protected method to generate the reason
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia amjad1233 Brisbane

    @andypost Thanks for the re-roll. ๐Ÿ’ช๐Ÿ’ช๐Ÿ’ช

    I tried and patch applies cleanly and site also builds up fine.

    patching file 'core/modules/user/src/Access/RoleAccessCheck.php'
    patching file 'core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php'
    

    Regarding Question 1 : I believe we are doing that already at certain places, but I agree with hiding as much as we can. With that said, I will defer question to @larowlan.

    Regarding Question 2: I am not sure if this class will only be extended or there will be places where we create new instance of the class... In the later case Protected would fail. I think we should crack this one in ๐Ÿ“Œ Deprecate empty AccessInterface and remove usages Needs work . May be we explicitly define it's signature in interface.

  • Status changed to Needs work almost 2 years ago
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    1) is secure exposing roles machine names

    I think we'd need to load the role and call $role->access('view label') for each one

    2) I still like adding a method to simplify the complexity here, nested if/else can be removed with early returns in a new method

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10
    +++ b/core/modules/user/src/Access/RoleAccessCheck.php
    @@ -44,10 +45,37 @@ public function access(Route $route, AccountInterface $account) {
    +    else {
    +      return sprintf('One of the %s %s %s roles are required', implode(', ', $roles), $condition, $last);
    

    No need for else here, as we return above, even more simplification from the new method ๐Ÿ’ช

    I looked into the permissions question and roles require 'administer permissions' to view their labels, which we're not going to grant here, obviously.

    I'll ask around

  • ๐Ÿ‡ฎ๐Ÿ‡ณIndia anchal_gupta

    I have uploaded the patch
    as per #30 comment.

Production build 0.71.5 2024