Exposing configurable languages through JSON:API is challenging due to permission issues

Created on 4 July 2023, over 1 year ago

Problem/Motivation

When I try to expose the configurable language resource through JSON:API I've got the following access check:

"The current user is not allowed to GET the selected resource. The 'administer languages' permission is required."

This is due to the fact that all requests to the JSON:API endpoint are considered to be made by unauthenticated users and I don't want to grant anonymous users "administer languages" permission in order to have the languages in JSON API.

Steps to reproduce

  1. Enable the JSON:API module
  2. Enable the Languge module
  3. (optional) Enable the "Configurable Language" resource in JSON:API extras if needed.
  4. (optional) Enable the "Configurable Language" resource in JSON:API extras if needed.
  5. Send an HTTP request to: {domain}/jsonapi/configurable_language/configurable_language

Proposed resolution

The quick fix for that is to implement hook_entity_access or hook_ENTITY_TYPE_access to modify the access control handler for "view" operations.

Another solution is to introduce a "view" permission for configurable languages similar to the Vocabulary entity where the "Access the taxonomy vocabulary overview page" permission can be used to have all vocabularies exposed through JSON:API

I'd like to hear your opinion on that.

Remaining tasks

Nothing yet.

User interface changes

Nope

API changes

Nope

Data model changes

Nope

Release notes snippet

Feature request
Status

Active

Version

10.1

Component
Language system 

Last updated about 19 hours ago

  • Maintained by
  • 🇩🇪Germany @sun
Created by

🇧🇬Bulgaria nikolabintev

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024