Invalid permissions message should mention Drupal 9.3 update hook

I think it is an add-on that you would have to install. You can probably find it with a web search.

I found this link but I don't speak English, I use a translator. What command should I enter in cli?

https://drushcommands.com/drush-9x/role/role:perm:remove/

Do you have a solution because this completely blocks the update to Drupal 10 :

https://www.drupal.org/project/drupal/issues/3335486 💬 Unable to upgrade Drupal 9 to Drupal 10 Fixed

drush role:perm:remove ROLE 'PERMISSION'

PERMISSION can be a comma-separated list.

I discussed this with core committers. There are three ways you would fix this:

1. Run the 9.3 update that clears it out automatically. For those experiencing this after the 9.3 update, it would be good to know if you did not run that update or imported outdated config that was prior to it being fixed?
2. Create a custom module to define the permissions you still need and resolve it from there.
3. Remove the permission assignments.

Since this is a choice the site owner needs to make, and there is nothing in Drupal core apparently other than the 9.3 update that would automatically fix it, I think the best that Upgrade Status could do is to provide an admin screen with checkboxes to remove the permission assignments.

I was seeing this on a pre-9.3 site. All I was after was a message telling me that this problem will resolve itself by upgrading to 9.3.

I'm getting that same error on my site as well but my problem is the module it's complaining about was removed a while ago. I have no idea how to remove permissions from a module that doesn't exist anymore.

Note that the invalid permissions don't have to be permissions provided by Drupal core. They can come from contrib modules as well.

I discovered that invalid permissions was a thing after I removed a feed type ( Feeds → module) on a site. (I realise that I could have known this if I had read the Drupal 9.3 release notes more carefully.)
So as a module maintainer, I found out that when specifying permissions related to a config entity, since Drupal 9.3 I need to make sure the permissions depend on that config entity. For Feeds, this got fixed in #3327572: [D10] Removing a feed type should clean up permissions → .

Anyway, the point is that not every contrib module (that provides permissions based on config entities) may have been adapted yet to the Permissions must exist → change. So even if you had ran the Drupal 9.3 update, you could still run into this problem when you delete certain config entities (provided by contrib modules) afterwards.

If you upgrade to 9.3 (or 9.4 or 9.5) and run the database updates, then the "phantom permissions" are removed, with some very explicit log messages.

If you did that, then I think the most likely way to run into trouble is if you later imported configuration that contained the "phantom" permissions. In other words, the question in #15.1 is on point.

I thought that the suggestion in #7 would work, but it does not. Saving a role with "phantom permissions" in D9 (9.3+) will trigger a deprecation message (but you will never see it) without removing the permission. Saving such a role on D10 will throw an exception, but not delete the permission.

There is a way to fix it in the admin UI, although it is clunky. It will work on D9 or D10. Go to /admin/config/development/configuration/single/export (export a single config item). Choose Configuration type: Role, then select a role that you have to fix, one at a time. Copy the YAML from that page, then head over to /admin/config/development/configuration/single/import (Single import). Choose Configuration type: Role, then paste in the YAML that you copied. Delete the line(s) for the phantom permission(s), submit the form, and confirm. Go on to the next role.

If you use config management and a text editor, it is much easier to export, edit, import.

If there is enough demand for it, I could contribute a module that copies the update function from Drupal 9.3 and provides a form to execute it and give some feedback.

Adding a UI to fix this could be helpful. That is not what this issue was created for. I was seeing this on a pre-9.3 site. All I was after was a message telling me that this problem will resolve itself by upgrading to 9.3. As has been observed above, this problem could happen in other ways, post-9.3. That should probably be addressed in a separate issue.

#19 has worked perfectly

Adding a couple of details which weren't on this issue yet. I'm seeing this with Acquia's Cohesion permissions on a D10 upgrade.

• The Drupal 9.3 update hook mentioned but unnamed a few times this issue is user_post_update_update_roles()
• That hook was introduced in #2571235: [regression] Roles should depend on objects that are building the granted permissions → (9.3.x) and removed in #3261486: Remove core updates added prior to 9.3.0 and adjust test coverage → (10.1.x)
• There's a change record: Permissions must exist →
• As well as the manual cleanup methods above,
  • There's a drush scr snippet in a comment on that change record above
  • There's a module for that: Remove Invalid Permissions →
  • I'm guessing repeating the update hook should work (and I'll be trying that first)

I haven't yet tested any of the above approaches, but thought I'd capture these details from my quick scout for anyone else who landed here.

The Remove Invalid Permissions (RIP) module seems to be doing a fine job as far as I see. https://git.drupalcode.org/project/rip/-/commit/3cfade5a4f9841b6d7624aed... -- it implements a drush command and asks for each permission / role combination to confirm. Should Upgrade Status suggest that to use? Did that work for people?

#23 I think is working for me, after running that and checking /admin/people/permissions for sanity...
the "upgrade status" is no longer ocmplaining. thanks Galbor.

I followed the steps in #22, running the code using drush core-cli, and that works. I also tried using RIP, and that works too.

Should Upgrade Status suggest that to use? Did that work for people?

I do think Upgrade Status should suggest a solution.

rip module is asking to remove permission and shows message that it is removed but upgrade status still showing the permissions issue.
Module not working for me