- First commit to issue fork.
- ๐บ๐ธUnited States benjifisher Boston area
Now that The Recipe Initiative APIs have been added to core as experimental โ , we have a new option for solving this problem. We can use a recipe to install a module and add permissions from that module to existing roles, such as the
content_editor
role.MR 9651 provides a proof of concept: it adds
recipe.yml
to thecontent_moderation
module. The recipe does the following steps:- Install the
content_moderation
module. - Install related optional configuration (for the
editorial
workflow) from thestandard
profile. - Grant permissions, which depend on the module and the configuration, to the
content_editor
role.
Now, I have the option of installing the module or applying the recipe. Using Drush, the two options are
drush en content_moderation
drush recipe core/modules/content_moderation
Of course, any other recipe that wants to install the module can apply the recipe instead.
I do not have any other examples in mind, but I suspect that there are many modules that can benefit from the same approach.
Comment #2 added the "Security improvements" issue tag. I think the security improvement was already done by the related issue #3221258: Fix content editor role to only have permissions that exist โ , so I am removing the tag from this issue.
- Install the
- ๐บ๐ธUnited States thejimbirch Cape Cod, Massachusetts
You could simplify the recipe a bit by using standard's editorial_workflow also so you also get the optional views.view.moderated_content config which you aren't importing currently.
name: 'Content Moderation' description: 'Adds permissions to standard user roles for the Content Moderation module.' type: 'Users' recipes: - core/recipes/editorial_workflow config: actions: user.role.content_editor: grantPermissions: - 'view any unpublished content' - 'view latest version' - 'use editorial transition archive' - 'use editorial transition archived_draft' - 'use editorial transition archived_published' - 'use editorial transition create_new_draft' - 'use editorial transition publish'
- ๐บ๐ธUnited States benjifisher Boston area
Thanks for that suggestion. I did not realize that
core/recipes/
had any recipes beyond what thestandard
profile uses.Another option is to add these permissions in the
editorial_workflow
recipe or in a new recipe undercore/recipes/
.Either way, we should probably add a dependency on the
content_editor_role
recipe. - ๐บ๐ธUnited States smustgrave
Can the issue summary be updated as well please.
- ๐บ๐ธUnited States benjifisher Boston area
I am updating the Proposed resolution in the issue summary (and making minor edits to the rest).
- ๐บ๐ธUnited States benjifisher Boston area
I updated the MR to add the permissions in the existing
editorial_workflows
recipe.In Comment #21, I wrote,
I did not realize that
core/recipes/
had any recipes beyond what thestandard
profile uses.I see now that this recipe was created as a place to put the optional configuration
workflows.workflow.editorial
from thestandard
profile. Since the permissions I am adding depend on theworkflows
transitions defined in that configuration entity, I think it is a good idea to put the permissions and the config in the same recipe.I would like further review of this issue, but I am leaving the status at NW because there are other permissions from other modules that I want to add.
- ๐บ๐ธUnited States benjifisher Boston area
Looking at #3221258: Fix content editor role to only have permissions that exist โ , these are the permissions that were removed, grouped by module:
Core modules
content_moderation
use editorial transition archive
use editorial transition archived_draft
use editorial transition archived_published
use editorial transition create_new_draft
use editorial transition publish
view any unpublished content
view latest version
content_translation
create content translations
delete content translations
update content translations
media
access media overview
create media
delete media
update media
view all media revisions
view own unpublished media
Contrib modules that used to be part of core
aggregator
access news feeds
book
access printer-friendly version
add content to books
create new books
node
module, if thebook
content type is defined (optional config in thebook
module)delete own book content
edit own book content
delete book revisions
create book content
statistics
view post access counter
MR 9651 already handles the permissions from the
content_moderation
module. It should also handle permissions from thecontent_translation
andmedia
modules. We might need new recipes for these: none of the core recipes enable either of these modules directly. The*_media_type
recipes enablemedia
indirectly (by enabling themedia_library
module). Perhaps one of the core recipes enablescontent_translation
indirectly, but I do not think so.What about the
aggregator
,book
, andstatistics
modules? (These modules were in Drupal core when thecontent_editor
role was created, but have since been removed.) One option is to create separate projects on d.o with recipes for each. If we consider letting modules define their own recipes, as I suggested in Comment #18, then we could add recipes to those contrib modules and add the permissions in those recipes. - ๐บ๐ธUnited States thejimbirch Cape Cod, Massachusetts
Modules canโt provide recipes. Recipes need to be their own packages and kept in a single folder suggested to be above web root.
Core recipes location is the only exception.This is so the recipe runner knows where to look for dependent recipes.
Modules also can contain recipes as there would be conflicts with the config folder as recipes and modules have different needs and structures.
- ๐บ๐ธUnited States benjifisher Boston area
We discussed this issue briefly at ๐ Drupal Usability Meeting 2024-10-04 Active . That issue will have a link to a recording of the meeting.
@rkoller pointed out that I should consider the recipes in https://git.drupalcode.org/project/drupal_cms as well as the core recipes. In particular, the
drupal_cms_multilingual
recipe already enables thecontent_translation
module and adds permissions to thecontent_editor
role. Probably nothing more has to be done for that module. I have not yet looked for recipes that enable themedia
module.For the record, the attendees at the usability meeting were AaronMcHale, avani.bhut, benjifisher, rkoller, shaal, simohell, and zetagraph.