Centralize permission checks in a service

Created on 14 March 2023, almost 2 years ago
Updated 20 December 2023, about 1 year ago

Problem/Motivation

Currently, all permission checks go through:

  • User::hasPermission()
  • UserSession::hasPermission()

Both check for UID1 and then call the role storage's isPermissionInRoles() method. This means that all of the code is contained in a class we can't alter and a handler we can't easily alter (only one module can swap it out). The upside is that all of core's permission checks eventually make it to either of those functions.

So why don't we move these checks to a service? If we make sure all permission checks happen in for example a permission_checker service, then we can more easily intervene in permission checks by decorating said service and doing our thing.

I'm asking this because we currently have 2 types of access checks:

  • Permission checks, which is Role Based Access Control (RBAC)
  • Entity access, where we use Attribute Based Access Control (ABAC) mixed with RBAC

The latter we can easily interact with using hook_entity_access, the former we can't. Modules such as Group, Domain, etc. could be significantly more powerful if we could also interfere with the former. We could have a proper Policy Based Access Control (PBAC) system like this, e.g.: Editors can only edit when on certain machines or during office hours.

Furthermore, if we combine Flexible Permissions with this patch, the Domain module could become insanely simple in architecture. Words cannot describe how awesome this could be.

Proposed resolution

  1. Move the code from User(Session)::hasPermission() to a new service and that's it.
  2. Potentially mark the old methods as deprecated in a future Drupal version and force people to properly inject said service.

Remaining tasks

Review, discuss and potentially adjust the PoC

User interface changes

None

API changes

New service, no BC break

Data model changes

None

Release notes snippet

TBD

✨ Feature request
Status

Fixed

Version

11.0 πŸ”₯

Component
BaseΒ  β†’

Last updated 2 days ago

Created by

πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024