Add proper documentation for entity type's admin_permission and collection_permission

Created on 17 June 2023, over 1 year ago
Updated 23 February 2024, 10 months ago

Problem/Motivation

This came up in Allow entities to specify a "collection permission" Fixed .

Currently there is no expansive documentation about an entity type's admin_permission or collection_permission annotation keys. The only thing that exists is:

The name of the default administrative permission.

which is the property documentation of \Drupal\Core\Entity\EntityType::$admin_permission,

The name of the collection permission.

which is the property documentation of \Drupal\Core\Entity\EntityType::$collection_permission

and this bit in entity.api.php about access handlers:

If your configuration entity has complex permissions, you might need an access control handling, implementing \Drupal\Core\Entity\EntityAccessControlHandlerInterface, but most entities can just use the 'admin_permission' annotation property instead.

But there is no actual documentation about what the admin permission and collection permission do concretely.

Steps to reproduce

-

Proposed resolution

  1. Change the documentation of \Drupal\Core\Entity\EntityType::$admin_permission to be:

    The name of the administrative permission.

    This permission must be declared separately by the module providing the entity type. Users with the administrative permission by default are allowed to perform any operation (for example create, view, update or delete) on any entity of the type and are granted access to the overview (or collection) of the entities of that type, if one exists. If a custom access control handler is declared, access can be restricted even for users with this permission.

  2. Change the documentation of \Drupal\Core\Entity\EntityType::$collection_permission to be:

    The name of the collection permission.

    This permission must be declared separately by the module providing the entity type. Users with the collection permission by default are allowed to access the overview (or collection) of the entities of that type, if one exists. It does not grant access to any particular entities, but in combination with other permissions makes it possible to grant users, for example, access to view entities of this type in the overview, but not edit or delete them or only grant users access to manage certain entities from the overview, but not all of them. If a custom access control handler is declared, access can be restricted even further for users with this permission or, alternatively, further access can be granted.

Remaining tasks

User interface changes

-

API changes

-

Data model changes

-

Release notes snippet

-

📌 Task
Status

Needs work

Version

11.0 🔥

Component
JSON API 

Last updated 2 days ago

Created by

🇩🇪Germany tstoeckler Essen, Germany

Live updates comments and jobs are added and updated live.
  • Needs subsystem maintainer review

    It is used to alert the maintainer(s) of a particular core subsystem that an issue significantly impacts their subsystem, and their signoff is needed (see the governance policy draft for more information). Also, if you use this tag, make sure the issue component is set to the correct subsystem. If an issue significantly impacts more than one subsystem, use needs framework manager review instead.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @tstoeckler
  • 🇩🇪Germany tstoeckler Essen, Germany

    So I was wondering how and where to document this and I found this in entity.api.php after the documentation of how to create a custom entity type and a bunch of the different handlers you can add (including the snippet about access handlers in the issue summary):

    Additional annotation properties can be seen on entity class examples such as \Drupal\node\Entity\Node (content) and \Drupal\user\Entity\Role (configuration). These annotation properties are documented on \Drupal\Core\Entity\EntityType.

    And while I don't think it's necessarily ideal to point people to \Drupal\Core\Entity\EntityType as that's not a particular well documented class in general, my vote would be to simply add some more elaborate documentation to the $adminPermission property. Maybe something like the following:

    The name of the administrative permission.

    This permission must be declared separately by the module providing the entity type. Users with the administrative permission by default are allowed to perform any operation (for example create, view, update or delete) on any entity of the type and are granted access to the overview (or collection) of the entities of that type, if one exists. If a custom access control handler is declared, access can be restricted even for users with this permission.

    Since this came up in Allow entities to specify a "collection permission" Fixed and the lack of documentation was noted there, here's something similar I would add for the collection permission either there or here, whichever one lands later:

    The name of the collection permission.

    This permission must be declared separately by the module providing the entity type. Users with the collection permission by default are allowed to access the overview (or collection) of the entities of that type, if one exists. It does not grant access to any particular entities, but in combination with other permissions may allow to grant users, for example, access to view entities of this type in the overview, but not edit or delete them or only grant users access to manage certain entities from the overview, but not all of them. If a custom access control handler is declared, access can be restricted even further for users with this permission or further access can be granted.

  • 🇩🇪Germany tstoeckler Essen, Germany

    Updating issue summary now that Allow entities to specify a "collection permission" Fixed landed.

    Also going ahead and adding my proposal as the proposed resolution and marking as Novice so someone can turn my suggestion into an actual patch. (Also minimally reworded my suggestion.)

  • Status changed to Needs review over 1 year ago
  • last update over 1 year ago
    Patch Failed to Apply
  • 🇮🇳India sidharth_soman Bangalore

    Hi, it seems like the \Drupal\Core\Entity\EntityType::$collection_permission property isn't available in 10.1.x-dev. I've made the required changes in 11.x instead.

    Please review this patch.

  • Status changed to Needs work over 1 year ago
  • 🇺🇸United States smustgrave

    Should check a patch applies before uploading.

  • last update over 1 year ago
    29,815 pass
  • Status changed to Needs review over 1 year ago
  • 🇩🇪Germany tstoeckler Essen, Germany

    As noted, it should be run against 11.x

  • Status changed to RTBC over 1 year ago
  • 🇺🇸United States smustgrave

    Good catch.

    Change looks simple and matches IS

  • last update over 1 year ago
    Patch Failed to Apply
  • last update over 1 year ago
    Patch Failed to Apply
  • last update over 1 year ago
    Patch Failed to Apply
  • last update over 1 year ago
    Patch Failed to Apply
  • last update over 1 year ago
    Patch Failed to Apply
  • last update over 1 year ago
    Patch Failed to Apply
  • last update over 1 year ago
    Patch Failed to Apply
  • Status changed to Needs work over 1 year ago
  • 🇳🇿New Zealand quietone

    Always like to see doc improvments!

    1. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -72,6 +72,10 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * This permission must be declared separately by the module providing the entity type.
      
      @@ -79,6 +83,11 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * This permission must be declared separately by the module providing the entity type.
      

      @sidharth_soman, all change to Drupal core are to meet the coding standards. Even though the line length is currently not test it should be followed. See Line length and wrapping .

    2. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -72,6 +72,10 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * This permission must be declared separately by the module providing the entity type.
      
      @@ -79,6 +83,11 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * This permission must be declared separately by the module providing the entity type.
      

      The word 'separtely' seems wrong to be. I think it can be removed without losing any meaning.

    I read the two new doc blocks and find both hard to follow. The contain long sentences with many phrases and 'ifs'. Surely this can be simpler for people with English as a first language (me) and people where English is not their first language.

  • Status changed to Needs review over 1 year ago
  • last update over 1 year ago
    29,958 pass
  • 🇮🇳India sourabhjain

    I have resolved the issue mentioned in #8. Please review.

  • Status changed to RTBC over 1 year ago
  • 🇺🇸United States smustgrave

    Seems feedback has been addressed.

  • last update over 1 year ago
    30,056 pass
  • last update over 1 year ago
    30,056 pass
  • last update over 1 year ago
    30,060 pass
  • last update over 1 year ago
    30,060 pass
  • last update over 1 year ago
    30,063 pass
  • last update over 1 year ago
    30,134 pass
  • Status changed to Needs work over 1 year ago
  • 🇳🇿New Zealand quietone

    Thanks for the updates! Also, thanks for interpreting my poor typing. Reading the lastest patch with dreditor I can still see lines that are not wrapped to 80 columns. :-(

    Now that I can read the text in the patch I also think it can be simplified a bit.

    1. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -72,6 +72,14 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * If a custom access control handler is declared,
      

      This will be easier to read with a blank line before this paragraph.

    2. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -72,6 +72,14 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * If a custom access control handler is declared,
      +   * access can be restricted even for users with this permission.
      

      This is not wrapped correctly.

    3. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -79,6 +87,18 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * If a custom access control handler is declared, access can be restricted
      +   * even further for users with this permission or, alternatively,
      +   * further access can be granted.
      

      Same here, add an empty line.

    4. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -79,6 +87,18 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * even further for users with this permission or, alternatively,
      +   * further access can be granted.
      

      This is not wrapped correctly

    5. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -72,6 +72,14 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * This permission must be declared by the module providing the entity type.
      +   * Users with the administrative permission by default are allowed to perform
      +   * any operation (for example create, view, update or delete) on any entity
      +   * of the type and are granted access to the overview (or collection) of the
      +   * entities of that type, if one exists.
      

      I suggest that we can say the same thing but a bit clearer. Correct this if I have missed something.

      "This permission must be declared by the module providing the entity type. Users with the administrative permission can perform create, view, update or delete operations on any entity of that type. They also are granted access to the overview (or collection) of the entities of that type, if one exists."

    6. +++ b/core/lib/Drupal/Core/Entity/EntityType.php
      @@ -79,6 +87,18 @@ class EntityType extends PluginDefinition implements EntityTypeInterface {
      +   * This permission must be declared by the module providing the entity type.
      +   * Users with the collection permission by default are allowed to access the
      +   * overview (or collection) of the entities of that type, if one exists.
      +   * It does not grant access to any particular entities, but in combination
      +   * with other permissions makes it possible to grant users, for example,
      +   * access to view entities of this type in the overview, but not edit or
      +   * delete them or only grant users access to manage certain entities from the
      +   * overview, but not all of them.
      

      Similarly, I suggest that we can say the same thing but a bit clearer. Correct this if I have missed something.

      "This permission must be declared by the module providing the entity type. Users with the collection permission are allowed to access the overview (or collection) of the entities of that type, if one exists. It does not grant access to any particular entities, but is used in combination with other permissions. For example. this makes it possible to grant users access to view entities of a particular type in the overview, but not edit or delete them. Another example is to grant users access to manage certain entities from the overview, but not all entities."

  • First commit to issue fork.
  • last update over 1 year ago
    30,135 pass
  • Status changed to Needs review over 1 year ago
  • 🇺🇸United States rpayanm

    I added the #11's suggestions.
    Please review.

  • 🇩🇪Germany tstoeckler Essen, Germany

    Thanks @quietone, agreed that your suggestion is clearer 👍

  • Status changed to RTBC over 1 year ago
  • 🇺🇸United States smustgrave

    Since no one picked this up for a month don't see an issue with rpayanm working on it.

    Just FYI with the novice tag we try and leave for more newer users @rpayanm
    .
    Appears feedback has been addressed so will RTBC.

  • last update over 1 year ago
    30,136 pass
  • last update over 1 year ago
    30,146 pass
  • last update over 1 year ago
    30,146 pass
  • last update over 1 year ago
    30,148 pass
  • last update over 1 year ago
    30,154 pass
  • Status changed to Needs review over 1 year ago
  • 🇳🇿New Zealand quietone

    Thanks for making the changes for #11. However, 5 and 6 in there changed the text as well. This also needs someone familiar with this system to read those changes and confirm they are correct. It is possible that my adjustments inadvertently changed the meaning.

    Setting back to NR.

  • 🇺🇸United States smustgrave

    @tstoeckler believe you implemented the admin_permission ticket, mind confirming the text.

  • Status changed to RTBC over 1 year ago
  • 🇩🇪Germany tstoeckler Essen, Germany

    Looks good to me. Since I didn't suggest this specific text and also didn't roll the patch, I think I can RTBC.

  • last update over 1 year ago
    30,161 pass
  • last update over 1 year ago
    30,165 pass
  • last update over 1 year ago
    30,166 pass, 2 fail
  • last update about 1 year ago
    30,205 pass
  • last update about 1 year ago
    30,205 pass
  • 6:34
    2:05
    Running
  • last update about 1 year ago
    30,361 pass
  • last update about 1 year ago
    30,360 pass
  • last update about 1 year ago
    30,371 pass
  • last update about 1 year ago
    30,379 pass
  • last update about 1 year ago
    30,377 pass
  • last update about 1 year ago
    30,382 pass
  • last update about 1 year ago
    30,392 pass
  • last update about 1 year ago
    30,397 pass
  • last update about 1 year ago
    30,397 pass
  • last update about 1 year ago
    30,414 pass
  • 51:33
    6:17
    Running
  • last update about 1 year ago
    30,426 pass
  • last update about 1 year ago
    30,427 pass
  • last update about 1 year ago
    30,437 pass
  • Status changed to Needs review about 1 year ago
  • 🇺🇸United States effulgentsia

    This is a nice start, so thank you for that, but I think the wording for the collection_permission doesn't address the feedback from #2953566-53: Allow entities to specify a "collection permission" . I agree with @gabesullice's comment there that:

    1. The collection permission should not control access to JSON:API collections.
    2. The documentation for the collection permission should make that clear.

    So, I'm tagging this for review from a jsonapi maintainer.

  • 🇺🇸United States effulgentsia

    Adding @gabesullice to this issue to notify him since he wrote that comment in the other issue.

  • 🇺🇸United States effulgentsia

    This is unfortunately complicated by the fact that it's a common request that site owners want to deny access to the /jsonapi/user/user URL to anonymous users, so one could easily think that once there's a collection_permission on the User entity type, that taking that permission away from the Anonymous role would accomplish that.

  • 🇺🇸United States smustgrave

    Elevating to framework manager after 1 month.

  • 🇬🇧United Kingdom catch

    @effulgentsia (a framework manager) explicitly asked for subsystem maintainer review on this issue and moved it down from RTBC in order to do so, so substituting back to a framework manager doesn't help move this issue forwards.

  • 🇺🇸United States smustgrave

    Posted in slack #contribute today just fyi.

  • Status changed to Needs work 10 months ago
  • 🇺🇸United States smustgrave

    Didn't see there were new threads opened.

Production build 0.71.5 2024