PathautoPattern entity does not allow "view" access without admin permission, making these entities inaccessible via REST, JSON API and GraphQL

Created on 6 July 2023, over 1 year ago
Updated 7 September 2023, over 1 year ago

Problem/Motivation

PathautoPattern 'view' permission is set to 'administer pathauto' which does not allow for exposing these entities via the jsonapi module (e.g. /jsonapi/pathauto_pattern/pathauto_pattern). Should view access always be granted to these entities? Or perhaps should there be a new permission which can be granted to anonymous, or any other specific role using the JSON:API for example.

Steps to reproduce

Create a pathautopattern
Enable JSON:API
Try to get these entities with postman using the URL "/jsonapi/pathauto_pattern/pathauto_pattern"

Proposed resolution

#1 I guess view access can always be granted.

#2 But maybe to be sure add another permission just for view access. See patch.

#3 Or maybe check the view access whether the request is going through JSON:API or something.

💬 Support request
Status

Postponed: needs info

Version

1.11

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024