Permissions for bulk generate and update

Created on 19 October 2023, about 1 year ago
Updated 15 August 2024, 4 months ago

Problem/Motivation

This is a bit mix of bug and feature request. Currently there is a permission "Administer pathauto" with description of "Allows a user to configure patterns for automated aliases and bulk delete URL-aliases.". To me this means that this permission controls who can "configure patterns for automated aliases" and also "bulk delete URL-aliases".

But this is not the case since Pathauto route "pathauto.admin.delete" that is used for the bulk deletion at /admin/config/search/path/delete_bulk actually requires the permission "administer url aliases" from cores Path-module. Same for the route "pathauto.bulk.update.form" that allows bulk updating aliases.

So either the "Administer pathauto" permission description should be fixed or the routes should be changed to require the "Administer pathauto" permission or even have their own specific permissions. Personally I would see the route change or new permissions more logical and it would also allow assigning permission to "administer url aliases" without allowing users to bulk remove and update url aliases.

🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

🇫🇮Finland thatguy

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @thatguy
  • 🇫🇮Finland Alexander Tallqvist

    I'm planning to work on this the upcoming Friday at Siili Solutions Drupal-contrib day.

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    48 pass
  • Pipeline finished with Success
    about 1 year ago
    Total: 301s
    #47318
  • Status changed to Needs review about 1 year ago
  • 🇫🇮Finland Alexander Tallqvist

    I added a new merge request which can be tested. The merge request adds two new permissions to the module. The permission bulk update aliases is needed when accessing the pathauto.bulk.update.form route, and the permission bulk delete aliases when accessing the pathauto.admin.delete route. The tests and the description for the administer pathauto permission have also been updated to reflect the changes.

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    48 pass
  • 🇫🇮Finland Alexander Tallqvist

    I discussed the implemented changes with a colleague and ended up modifying the merge request a bit. The route pathauto.bulk.update.form now required either the administer pathauto OR the bulk update aliases permission, and the route pathauto.admin.delete route requires either the administer pathauto OR the bulk delete aliases permission. This is because the administer pathauto permission indicates that a users should have access to everything pathauto related. The description for the administer pathauto permission has also been updated to reflect these changes.

  • Pipeline finished with Success
    about 1 year ago
    Total: 393s
    #47351
  • Status changed to RTBC about 1 year ago
  • 🇫🇮Finland tormu

    Tested with the usual case in mind, being "I want to give my client the ability to create new path aliases but not give them anything related to pathauto, including bulk delete stuff"

    Given the permissions as per attachment, the user with Content editor role now only sees the alias addition functionality in /admin/config/search/path - the "Bulk generate" and "Delete aliases" tabs are no longer there.
    So works as I was hoping it to.

    "Administer pathauto" or correct one of the new two permissions is now required to access those aforementioned two tabs.

    PS. Only tested the functionality from Drupal UI using DrupalPod, did not review code.

  • First commit to issue fork.
  • Pipeline finished with Skipped
    5 months ago
    #240414
  • Status changed to Fixed 5 months ago
  • 🇨🇭Switzerland berdir Switzerland

    Yeah, edge case. This will result in sites no longer having access to those pages, and I'm not sure if we should have an update function to ensure that things work as before, but I also agree that this doesn't match the documentation and is somewhat unintended.

    It's a nice change that makes it easier to give non-admin users access to administer url aliases without the more complex and bulk create and delete sections, so lets go with it, will put something in the release notes that nobody will ready ;)

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024