- ๐บ๐ธUnited States smustgrave
This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ as a guide.
MR should be updated to 10.1
There are also a number of open threads on 1407 that should be addressedThis seems like a super helpful feature. Is there any security implication?
- ๐ซ๐ทFrance andypost
Needs new patch or maybe @amjad1233 can change target branch to 10.1.x
- ๐ฆ๐บAustralia amjad1233 Brisbane
Great suggestion let me get my hands dirty in this one.
- ๐บ๐ธUnited States smustgrave
Around to review again if needed. Just wanted to double check that thereโs no security issue announcing permissions?
- Status changed to Needs review
almost 2 years ago 3:32pm 5 February 2023 - ๐ซ๐ทFrance andypost
re-roll and fix for #19
Open questions are
- is secure exposing roles machine names
- suggestion to add protected method to generate the reason
- ๐ฆ๐บAustralia amjad1233 Brisbane
@andypost Thanks for the re-roll. ๐ช๐ช๐ช
I tried and patch applies cleanly and site also builds up fine.
patching file 'core/modules/user/src/Access/RoleAccessCheck.php' patching file 'core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php'
Regarding Question 1 : I believe we are doing that already at certain places, but I agree with hiding as much as we can. With that said, I will defer question to @larowlan.
Regarding Question 2: I am not sure if this class will only be extended or there will be places where we create new instance of the class... In the later case Protected would fail. I think we should crack this one in ๐ Deprecate empty AccessInterface and remove usages Needs work . May be we explicitly define it's signature in interface.
- Status changed to Needs work
almost 2 years ago 12:07am 3 March 2023 - ๐ฆ๐บAustralia larowlan ๐ฆ๐บ๐.au GMT+10
1) is secure exposing roles machine names
I think we'd need to load the role and call $role->access('view label') for each one
2) I still like adding a method to simplify the complexity here, nested if/else can be removed with early returns in a new method
- ๐ฆ๐บAustralia larowlan ๐ฆ๐บ๐.au GMT+10
+++ b/core/modules/user/src/Access/RoleAccessCheck.php @@ -44,10 +45,37 @@ public function access(Route $route, AccountInterface $account) { + else { + return sprintf('One of the %s %s %s roles are required', implode(', ', $roles), $condition, $last);
No need for else here, as we return above, even more simplification from the new method ๐ช
I looked into the permissions question and roles require 'administer permissions' to view their labels, which we're not going to grant here, obviously.
I'll ask around
- ๐ฎ๐ณIndia anchal_gupta
I have uploaded the patch
as per #30 comment.