Contrib.social

Granular permissions are needed for JSON:API

Open on Drupal.org β†’
Created on 4 July 2023, 12 months ago

Problem/Motivation

I have a decoupled architecture where content from Drupal is exposed via JSON:API. The requests to the JSON:API endpoint consider the current user to be anonymous. The only way to get the external link popup entities exposed through JSON:API is to grant "Administer external link pop-ups" permission to the Anonymous user roles. Doing that is not an option because it also allows anonymous users to perform CRUD operations on external link popup entities if the end-user knows the routes.

Steps to reproduce

  1. Enable JSON:API module
  2. Install & enable External Link Pop-up module
  3. Navigate to the JSON:API endpoint and click on the External Link Pop-up resource link
  4. You'll have an "Access denied" message
  5. Grant "Administer external link pop-ups" permission to the Anonymous role and request the External Link Pop-up resource via JSON: API again
  6. You'll receive a list of entities

Proposed resolution

A proposed solution is to have more granular permissions for CRUD operations: view, create, edit, delete, etc.

Remaining tasks

A patch with the proposed solution is to be implemented.

User interface changes

Nope

API changes

Nope

Data model changes

Nope

✨ Feature request
Status

Needs review

Version

2.0

Component

Code

Created by

πŸ‡§πŸ‡¬Bulgaria nikolabintev

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @nikolabintev
  • Comment 12 months ago β†’
    πŸ‡§πŸ‡¬Bulgaria nikolabintev

    After further investigation, I realized that we don't need CRUD permission to handle this. I checked the implementation of the Vocabulary entity and they handle it by using the "access taxonomy overview" so I introduced the "view external link popup" permission that can be assigned to the anonymous user role. Another way to solve it is to implement entity_access or ENTITY_TYPE_access hooks.

    Please find the attached patch and let me know your opinion.

  • Status changed to Needs review 12 months ago
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.2 & MySQL 8
    last update 12 months ago
    1 pass
  • Comment 12 months ago β†’
    πŸ‡§πŸ‡¬Bulgaria nikolabintev
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024