Contrib.social

Permission for admin forms not correct

Open on Drupal.org →
Created on 24 February 2023, over 1 year ago
Updated 16 March 2023, over 1 year ago

Problem/Motivation

While writing automated tests I discovered an issue with access permissions.

The current permission in access_by_ref.routing.yml contains the following permission setting:

_permission: 'administer site configuration + administer access_by_ref_settings settings'

This has several problems:

  • The permission "administer access_by_ref_settings settings" should not have "_settings".
    The permission defined in access_by_ref.permissions.yml is "administer access_by_ref settings".
  • There cannot be spaces around the + operator.
    Even when the permission name was corrected, access was denied due to the spaces.
  • I'm not convinced we need "administer site configuration" is needed at all.
    The administrator user has automatic access to all admin forms, so I think only administer access_by_ref settings is required.
    I think "administer access_by_ref settings" should be all that's needed for the admin forms.
    I also think that a lot of people don't realise "+" is the "or" operator for permissions, so its use should be avoided unless essential.

Steps to reproduce

  1. Create a user with "administer access_by_ref settings" permission only
  2. Navigate to "/admin/config/content/access_by_ref" page.
  3. Verify access denied error.

Proposed resolution

Update permissions yml file to only require "administer access_by_ref settings" permission.

Remaining tasks

Submit merge request with updated permissions file.

User interface changes

None

API changes

None

Data model changes

None

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇮🇪Ireland lostcarpark

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @lostcarpark
  • @lostcarpark opened merge request.
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇮🇪Ireland lostcarpark

    Created pull request for change to fix permissions.

  • Comment over 1 year ago
    🇺🇸United States ultimike Florida, USA

    I think this change makes sense.

    For the record, the only use of multiple permissions in a route permission that I could find in Drupal Core looks like this:

    entity.workspace.collection:
  path: '/admin/config/workflow/workspaces'
  defaults:
    _title: 'Workspaces'
    _entity_list: 'workspace'
  requirements:
    _permission: 'administer workspaces+edit any workspace'

    -mike

  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago
    🇳🇱Netherlands Marceldeb
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024