Module does not work with routes that implement _entity_access

Open on Drupal.org →

Created on 28 September 2022, over 2 years ago

Updated 31 January 2023, about 2 years ago

Problem/Motivation

As per issue title, some routes implement _entity_access. In those cases, creating custom permissions based on the route alone won't work.

Steps to reproduce

Take the "administer date-time" permission for example, which is to allow people to view the list of date formats, and also allow them to create new formats, as well as to allow editing/deleting existing formats. That permission has the following routes configured:

entity.date_format.collection
system.date_format_add
entity.date_format.edit_form
entity.date_format.delete_form

So in theory, you've got everything required for the permission to work as expected. What happens in reality though is that people with roles that have that permission granted are only able to access the date/time formats listing page, and create new formats. They cannot edit/delete formats, as the operations dropbuttons are not being rendered at all.

The above also has the side effect of people being able to create a new format, but soon as they create it, they cannot edit/delete it.

Proposed resolution

Allow specifying entity access for permissions, and have that work.

Remaining tasks

Figure out how to make this work.
Write the code for it.
Review and test the code.
Merge the changes.
Create a new release of the module.
Close this issue.

User interface changes

There will be another column in the custom permissions configuration page, which will allow people to configure any required entity permissions.

API changes

TBD

Data model changes

TBD

🐛 Bug report

Status

Needs review

Version

2.0

Component

Code

Created by

🇦🇺Australia klonos 90% Melbourne, Australia - 10% Larissa, Greece

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Merge Requests

!3Module does not work with routes that implement _entity_access
Open
🇺🇸United States Kristen Pol
updated 2 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 2 years ago →
🇦🇺Australia mingsong 🇦🇺
Does the patch from #2 check the permission for current account?

What happen if a user update or delete an entity via JSON API when the according custom permission is enable but that user doesn't have the permission to do so?
Assigned to Kristen Pol
Comment 2 months ago →
🇺🇸United States Kristen Pol Santa Cruz, CA, USA
I'm going to make a release soon so looking at all recently fixed issues along with RTBC and needs review.
Comment 2 months ago →
🇺🇸United States Kristen Pol Santa Cruz, CA, USA
kristen pol → changed the visibility of the branch 3312434-module-does-not to hidden.
Merge request !3Add hook_entity_access for entity route access. → (Open) created by Kristen Pol
Comment 2 months ago →
🇺🇸United States Kristen Pol Santa Cruz, CA, USA
Thanks, everyone. I've moved into an MR and made some minor changes.

We need someone to test this and make sure it fixes the issue.

@ameymudras Also see the questions from @mingsong in #3.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024