Contrib.social

Granular permissions are needed for JSON:API

Open on Drupal.org →
Created on 4 July 2023, over 1 year ago

Problem/Motivation

I have a decoupled architecture where content from Drupal is exposed via JSON:API. The requests to the JSON:API endpoint consider the current user to be anonymous. The only way to get the external link popup entities exposed through JSON:API is to grant "Administer external link pop-ups" permission to the Anonymous user roles. Doing that is not an option because it also allows anonymous users to perform CRUD operations on external link popup entities if the end-user knows the routes.

Steps to reproduce

  1. Enable JSON:API module
  2. Install & enable External Link Pop-up module
  3. Navigate to the JSON:API endpoint and click on the External Link Pop-up resource link
  4. You'll have an "Access denied" message
  5. Grant "Administer external link pop-ups" permission to the Anonymous role and request the External Link Pop-up resource via JSON: API again
  6. You'll receive a list of entities

Proposed resolution

A proposed solution is to have more granular permissions for CRUD operations: view, create, edit, delete, etc.

Remaining tasks

A patch with the proposed solution is to be implemented.

User interface changes

Nope

API changes

Nope

Data model changes

Nope

Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇧🇬Bulgaria nikolabintev

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @nikolabintev
  • Comment over 1 year ago
    🇧🇬Bulgaria nikolabintev

    After further investigation, I realized that we don't need CRUD permission to handle this. I checked the implementation of the Vocabulary entity and they handle it by using the "access taxonomy overview" so I introduced the "view external link popup" permission that can be assigned to the anonymous user role. Another way to solve it is to implement entity_access or ENTITY_TYPE_access hooks.

    Please find the attached patch and let me know your opinion.

  • Status changed to Needs review over 1 year ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    1 pass
  • Comment over 1 year ago
    🇧🇬Bulgaria nikolabintev
  • Status changed to Needs work 13 days ago
  • Comment 13 days ago
    🇧🇾Belarus dewalt

    Hmm, good point, but I think separate permissions aren't needed. The popup view could be shown public or with "access published content" permissions.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024