Contrib.social

Non-group permission within a group?

Open on Drupal.org β†’
Created on 1 March 2023, over 1 year ago
Updated 17 September 2024, 2 months ago

We have group administrators, but they need a permission that is not a group permission.

For example, deleting comments.

We can't add them to a global role assigned to that user, because it needs to only apply when they are in a group that they administer.

I am working at a POC to assign global permissions to a group role but wanted to hear about other approaches.

πŸ’¬ Support request
Status

Fixed

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States djdevin Philadelphia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @djdevin
  • Comment over 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

    This is a perfect case for the new API. I don't know enough about your use case and the example you gave (comments) is more complex than other entity types. But, in general, look up the specific entity operation that isn't supported yet ("view revision", "add comment", ...) and make it supported by using the new handler system to introduce a handler to one (or all) plugins. Then the rest will magically come out of the box.

    See: https://drupalcamp.be/en/drupal-dev-days-2022/session/reinventing-cores-...

    So if a module is doing $my_entity_type->access('something custom'); and you introduce a PermissionProviderInterface that returns an actual group permission name for "something custom", everything else will start working out of the box.

    Example of a module that supports Webform's custom "duplicate", "test" and "submission_page" operations:

      /**
   * {@inheritdoc}
   */
  public function getPermission($operation, $target, $scope = 'any') {
    // REMOVED OTHER CODE FOR CLARITY...

    // Take care of extra Webform entity operations.
    if ($target === 'entity') {
      switch ($operation) {
        case 'duplicate':
        case 'test':
          return "$operation $this->pluginId $target";

        case 'submission_page':
          return "access $this->pluginId submission page";
      }
    }

    return $this->parent->getPermission($operation, $target, $scope);
  }
  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium
  • Comment over 1 year ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed 2 months ago
  • Comment 2 months ago β†’
    monkk

    Hi Kristiaan,

    I feel this is not group question itself, but I struggle to google it out.
    How do I register new Operation on simple new node tab eg. node/%node/moderation which points to a view?

    Thanks,
    T.

  • Comment about 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland titouille

    Hi,

    Not sure if the case is the same, but...

    I have a custom entity module that build a "single page" system. This one is based on two entities : single_page and single_page_item.

    The single_page entity is a basic entity to build single pages. The single_page_item entity is a system of items that are attached to the single page to create multiple contents.

    single_page_item has a canonical path to show a list of items in a tab of the single_page entity instance. On this list, I have a "create new item" button as action link (in single_page.links.action.yml). The route to create a new single page item (in single_page.routing.yml) has as requirement :

    _entity_create_access: 'single_page_item'

    But when I display the single_page item list within a group, the button doesn't exists.

    I implemented the getPermission and buildPermissions like this : 

      /**
   * {@inheritdoc}
   */
  public function getPermission($operation, $target, $scope = 'any') {

    switch ($operation) {
      case "create single_page_item":
        return $this->getEntityCreateSinglePageItemPermission();
    }

    return $this->parent->getPermission($operation, $target, $scope);
  }
  /**
   * {@inheritdoc}
   */
  public function buildPermissions() {
    $permissions = $this->parent->buildPermissions();

    // Instead of checking whether this specific permission provider allows for
    // a permission to exist, we check the entire decorator chain. This avoids a
    // lot of copy-pasted code to turn off or rename a permission in a decorator
    // further down the chain.
    $provider_chain = $this->groupRelationTypeManager()->getPermissionProvider($this->pluginId);

    $prefix = 'Single Page Item:';
    if ($name = $provider_chain->getPermission('create single_page_item', 'entity')) {
      $permissions[$name] = $this->buildPermission("$prefix Create new entity");
    }
    return $permissions;
  }

  /**
   * Gets the name of the create single page item permission for the entity.
   *
   * @return string|false
   *   The permission name or FALSE if it does not apply.
   */
  protected function getEntityCreateSinglePageItemPermission() {
    if ($this->definesEntityPermissions) {
      return "create $this->pluginId single_page_item";
    }
    return FALSE;
  }

    The permission appears on the list of permissions in the group, the tested user has the "administrator" role and the permission is checked for it, but when I navigate to the items list, the button is not displayed. I set up a breakpoint to see if the permission is checked but there is only calls for entity.view, entity.update and entity.delete. It seems the action links are not triggering the permissions checks...

    Maybe anyone can point me what I'm doing wrong ?

    Thanks in advance.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024