Contrib.social

Module does not work with routes that implement _entity_access

Open on Drupal.org →
Created on 28 September 2022, about 2 years ago
Updated 31 January 2023, almost 2 years ago

Problem/Motivation

As per issue title, some routes implement _entity_access. In those cases, creating custom permissions based on the route alone won't work.

Steps to reproduce

Take the "administer date-time" permission for example, which is to allow people to view the list of date formats, and also allow them to create new formats, as well as to allow editing/deleting existing formats. That permission has the following routes configured:

  • entity.date_format.collection
  • system.date_format_add
  • entity.date_format.edit_form
  • entity.date_format.delete_form

So in theory, you've got everything required for the permission to work as expected. What happens in reality though is that people with roles that have that permission granted are only able to access the date/time formats listing page, and create new formats. They cannot edit/delete formats, as the operations dropbuttons are not being rendered at all.

The above also has the side effect of people being able to create a new format, but soon as they create it, they cannot edit/delete it.

Proposed resolution

Allow specifying entity access for permissions, and have that work.

Remaining tasks

  1. Figure out how to make this work.
  2. Write the code for it.
  3. Review and test the code.
  4. Merge the changes.
  5. Create a new release of the module.
  6. Close this issue.

User interface changes

There will be another column in the custom permissions configuration page, which will allow people to configure any required entity permissions.

API changes

TBD

Data model changes

TBD

🐛 Bug report
Status

Needs review

Version

2.0

Component

Code

Created by

🇦🇺Australia klonos 90% Melbourne, Australia - 10% Larissa, Greece

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    🇦🇺Australia mingsong 🇦🇺

    Does the patch from #2 check the permission for current account?

    What happen if a user update or delete an entity via JSON API when the according custom permission is enable but that user doesn't have the permission to do so?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024