- Issue created by @JeroenT
- Open on Drupal.org βEnvironment: PHP 8.2 & MySQL 8last update
over 1 year ago Not currently mergeable. - @jeroent opened merge request.
- last update
over 1 year ago Custom Commands Failed - last update
over 1 year ago Custom Commands Failed - last update
over 1 year ago Custom Commands Failed - Status changed to Needs review
over 1 year ago 2:36pm 22 June 2023 - π§πͺBelgium JeroenT π§πͺ
I added test coverage in the MR that will fail and reproduces the bug.
- Status changed to Needs work
over 1 year ago 3:27pm 22 June 2023 The Needs Review Queue Bot β tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide β to find step-by-step guides for working with issues.
- last update
over 1 year ago Custom Commands Failed - last update
over 1 year ago 29,535 pass, 1 fail - Status changed to Needs review
over 1 year ago 4:18pm 22 June 2023 - Status changed to Needs work
over 1 year ago 10:54pm 22 June 2023 - last update
over 1 year ago 29,555 pass, 2 fail - Status changed to Needs review
over 1 year ago 11:07am 27 June 2023 - Status changed to Needs work
over 1 year ago 4:16pm 27 June 2023 - πΊπΈUnited States smustgrave
Seems failure in MR is legit to issue. Seems to be a permission problem.
- π¨π¦Canada Liam Morland Ontario, CA π¨π¦
@JeroenT do I understand correctly that the merge request triggers the bug but does not fix it?
- π§πͺBelgium JeroenT π§πͺ
@Liam Morland, Yes. The MR contains a test that triggers the bug.
I haven't found a fix for it, yet. - π©πͺGermany donquixote
This seems to be a general problem with left-over permissions on existing roles.
My comment from the other issue π RuntimeException: Adding non-existent permissions to a role is not allowed Active :
Here is what I propose instead:
On the "Manage permissions" form, left-over permissions are displayed in a dedicated section.
The admin / site builder can uncheck the permissions that no longer exist, or they can leave them in place.Any other time when a role is saved outside of the permissions form, orphan permissions are just silently left unchanged.
- π©πͺGermany donquixote
Steps to reproduce:
- Edit block.permissions.yml (or any other module permissions file). Add
tmp perm: {title: 'Temporary permission'}.
(by using block module, the permission will show up at the top of the permissions form) - Visit "admin/people/permissions". Assign the tmp perm to "Content editor" role (or any other role). Save the form.
- Remove the "tmp perm" from block.permissions.yml.
- Visit "admin/people/permissions". Save the form.
Result:
RuntimeException: Adding non-existent permissions to a role is not allowed. The incorrect permissions are "tmp perm". in Drupal\user\Entity\Role->calculateDependencies() (line 207 of core/modules/user/src/Entity/Role.php).Also any other process that saves a role with orphan permissions causes this.
This error message was introduced in
#2571235: [regression] Roles should depend on objects that are building the granted permissions β
https://git.drupalcode.org/project/drupal/-/commit/cffb02aad63664e7930a3...It was converted to a runtime exception in
#3261248: Remove deprecated user.module functions β
https://git.drupalcode.org/project/drupal/-/commit/dcc51c80a2ee2a26dd397... - Edit block.permissions.yml (or any other module permissions file). Add
- π©πͺGermany donquixote
One problem if we want to keep orphan permissions is that we cannot calculate their dependencies.
- π©πͺGermany donquixote
Workaround, if we ever encounter this error in a Drupal project:
Declare the bad permission in one of the *.permissions.yml files, visit admin/people/permissions to unset it from all roles, then remove the declaration again.
- π¨πSwitzerland berdir Switzerland
I don't think that's the same issue. The pemission UI should catch and handle that exception.
The actual issue here is pretty much by design, it's a chicken/egg situation with a permission that has a config dependency on itself aka the role. It can't be fixed without bypassing the strict permission validation that we have now, but the workaround is fairly easy: Add the permission in a second step after install/config import.
- π¨π¦Canada Liam Morland Ontario, CA π¨π¦
That is not a great work-around because config export will export the config and then import will import it. This will trigger this issue during functional tests.
- π¨πSwitzerland berdir Switzerland
I'm not saying it's great, but there's nothing else.
This is _only_ about a dependency on the role being created right now. A dependency on any other config entity works fine as long as you ensure that the config dependency is there and that config is imported first.