Remove reliance on View published content permission

Created on 22 October 2022, over 2 years ago

Updated 7 March 2023, almost 2 years ago

Problem

The vitals endpoint router checks the "View published content" ('access content') permission to allow access to the endpoint. While it makes sense to provide an access check, it is not very useful to use the access content permission.

Scenario 1:
When you don't want anonymous users to access your content (intranets for example), the vitals endpoint isn't available.

Scenario 2:
Maybe you only want to allow logged in users to access the endpoint. You don't want / can't to disable the "View published content" permission.

Steps to reproduce

Turn off the "View published content" permission, and try to access the Vitals endpoint as an anonymous user. You'll be greeted by a 403.

Proposed resolution

Replace the 'access content' permission check in vitals.routing.yml with a custom 'access vitals endpoint' permission. This permission should be active by default.

Remaining tasks

Create new 'access vitals endpoint' permission
Add update to enable this permission for all users on existing sites, to ensure that the endpoint will still work after the update. (maybe we want to copy the View published content permission settings?)

🐛 Bug report

Status

Postponed: needs info

Version

2.2

Component

Code

Created by

🇧🇪Belgium tijsdeboeck Antwerp 🇧🇪 🇪🇺 🌎

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇧🇪Belgium tijsdeboeck Antwerp 🇧🇪 🇪🇺 🌎
Re-rolled patch against Vitals 2.3

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024