Add permissions for optional modules to content editor role as they become enabled

Created on 29 June 2021, over 3 years ago
Updated 27 September 2024, about 1 month ago

Problem/Motivation

#3059984: Add new โ€œContent Editorโ€ role to Standard Profile โ†’ added a new role with permissions for modules that not installed. We've removed them in #3221258: Fix content editor role to only have permissions that exist โ†’ - however this affects how useful the role is.

Let's decide how to add the permissions to role when modules are installed in a fashion that supports #2571235: [regression] Roles should depend on objects that are building the granted permissions โ†’

Proposed resolution

TBD - here are some options:

  • Add standard_hook_modules_installed() to do the work (I think this is the better solution)
  • Add a new key to the role config entity to permissions_to_install
  • Make modules part of the standard install

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

๐Ÿ“Œ Task
Status

Active

Version

11.0 ๐Ÿ”ฅ

Component

user system

Created by

๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Pipeline finished with Success
    about 1 month ago
    Total: 755s
    #294441
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area

    Now that The Recipe Initiative APIs have been added to core as experimental โ†’ , we have a new option for solving this problem. We can use a recipe to install a module and add permissions from that module to existing roles, such as the content_editor role.

    MR 9651 provides a proof of concept: it adds recipe.yml to the content_moderation module. The recipe does the following steps:

    1. Install the content_moderation module.
    2. Install related optional configuration (for the editorial workflow) from the standard profile.
    3. Grant permissions, which depend on the module and the configuration, to the content_editor role.

    Now, I have the option of installing the module or applying the recipe. Using Drush, the two options are

    • drush en content_moderation
    • drush recipe core/modules/content_moderation

    Of course, any other recipe that wants to install the module can apply the recipe instead.

    I do not have any other examples in mind, but I suspect that there are many modules that can benefit from the same approach.

    Comment #2 added the "Security improvements" issue tag. I think the security improvement was already done by the related issue #3221258: Fix content editor role to only have permissions that exist โ†’ , so I am removing the tag from this issue.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States thejimbirch Cape Cod, Massachusetts

    You could simplify the recipe a bit by using standard's editorial_workflow also so you also get the optional views.view.moderated_content config which you aren't importing currently.

    name: 'Content Moderation'
    description: 'Adds permissions to standard user roles for the Content Moderation module.'
    type: 'Users'
    recipes:
      - core/recipes/editorial_workflow
    config:
      actions:
        user.role.content_editor:
          grantPermissions:
            - 'view any unpublished content'
            - 'view latest version'
            - 'use editorial transition archive'
            - 'use editorial transition archived_draft'
            - 'use editorial transition archived_published'
            - 'use editorial transition create_new_draft'
            - 'use editorial transition publish'
    
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area

    Thanks for that suggestion. I did not realize that core/recipes/ had any recipes beyond what the standard profile uses.

    Another option is to add these permissions in the editorial_workflow recipe or in a new recipe under core/recipes/.

    Either way, we should probably add a dependency on the content_editor_role recipe.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Can the issue summary be updated as well please.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area

    I am updating the Proposed resolution in the issue summary (and making minor edits to the rest).

  • Pipeline finished with Canceled
    about 1 month ago
    Total: 465s
    #295788
  • Pipeline finished with Failed
    about 1 month ago
    Total: 367s
    #295793
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area

    I updated the MR to add the permissions in the existing editorial_workflows recipe.

    In Comment #21, I wrote,

    I did not realize that core/recipes/ had any recipes beyond what the standard profile uses.

    I see now that this recipe was created as a place to put the optional configuration workflows.workflow.editorial from the standard profile. Since the permissions I am adding depend on the workflows transitions defined in that configuration entity, I think it is a good idea to put the permissions and the config in the same recipe.

    I would like further review of this issue, but I am leaving the status at NW because there are other permissions from other modules that I want to add.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area

    Looking at #3221258: Fix content editor role to only have permissions that exist โ†’ , these are the permissions that were removed, grouped by module:

    Core modules

    1. content_moderation
      • use editorial transition archive
      • use editorial transition archived_draft
      • use editorial transition archived_published
      • use editorial transition create_new_draft
      • use editorial transition publish
      • view any unpublished content
      • view latest version
    2. content_translation
      • create content translations
      • delete content translations
      • update content translations
    3. media
      • access media overview
      • create media
      • delete media
      • update media
      • view all media revisions
      • view own unpublished media

    Contrib modules that used to be part of core

    1. aggregator
      • access news feeds
    2. book
      • access printer-friendly version
      • add content to books
      • create new books
    3. node module, if the book content type is defined (optional config in the book module)
      • delete own book content
      • edit own book content
      • delete book revisions
      • create book content
    4. statistics
      • view post access counter

    MR 9651 already handles the permissions from the content_moderation module. It should also handle permissions from the content_translation and media modules. We might need new recipes for these: none of the core recipes enable either of these modules directly. The *_media_type recipes enable media indirectly (by enabling the media_library module). Perhaps one of the core recipes enables content_translation indirectly, but I do not think so.

    What about the aggregator, book, and statistics modules? (These modules were in Drupal core when the content_editor role was created, but have since been removed.) One option is to create separate projects on d.o with recipes for each. If we consider letting modules define their own recipes, as I suggested in Comment #18, then we could add recipes to those contrib modules and add the permissions in those recipes.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States thejimbirch Cape Cod, Massachusetts

    Modules canโ€™t provide recipes. Recipes need to be their own packages and kept in a single folder suggested to be above web root.
    Core recipes location is the only exception.

    This is so the recipe runner knows where to look for dependent recipes.

    Modules also can contain recipes as there would be conflicts with the config folder as recipes and modules have different needs and structures.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area

    We discussed this issue briefly at ๐Ÿ“Œ Drupal Usability Meeting 2024-10-04 Active . That issue will have a link to a recording of the meeting.

    @rkoller pointed out that I should consider the recipes in https://git.drupalcode.org/project/drupal_cms as well as the core recipes. In particular, the drupal_cms_multilingual recipe already enables the content_translation module and adds permissions to the content_editor role. Probably nothing more has to be done for that module. I have not yet looked for recipes that enable the media module.

    For the record, the attendees at the usability meeting were AaronMcHale, avani.bhut, benjifisher, rkoller, shaal, simohell, and zetagraph.

Production build 0.71.5 2024