Contrib.social

Permissions for bulk generate and update

Open on Drupal.org →
Created on 19 October 2023, 8 months ago
Updated 10 November 2023, 8 months ago

Problem/Motivation

This is a bit mix of bug and feature request. Currently there is a permission "Administer pathauto" with description of "Allows a user to configure patterns for automated aliases and bulk delete URL-aliases.". To me this means that this permission controls who can "configure patterns for automated aliases" and also "bulk delete URL-aliases".

But this is not the case since Pathauto route "pathauto.admin.delete" that is used for the bulk deletion at /admin/config/search/path/delete_bulk actually requires the permission "administer url aliases" from cores Path-module. Same for the route "pathauto.bulk.update.form" that allows bulk updating aliases.

So either the "Administer pathauto" permission description should be fixed or the routes should be changed to require the "Administer pathauto" permission or even have their own specific permissions. Personally I would see the route change or new permissions more logical and it would also allow assigning permission to "administer url aliases" without allowing users to bulk remove and update url aliases.

🐛 Bug report
Status

RTBC

Version

1.0

Component

Code

Created by

🇫🇮Finland thatguy

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @thatguy
  • Comment 8 months ago
    🇫🇮Finland thatguy
  • Comment 8 months ago
    🇫🇮Finland Alexander Tallqvist

    I'm planning to work on this the upcoming Friday at Siili Solutions Drupal-contrib day.

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update 8 months ago
    48 pass
  • @alexander-tallqvist opened merge request.
  • Status changed to Needs review 8 months ago
  • Comment 8 months ago
    🇫🇮Finland Alexander Tallqvist

    I added a new merge request which can be tested. The merge request adds two new permissions to the module. The permission bulk update aliases is needed when accessing the pathauto.bulk.update.form route, and the permission bulk delete aliases when accessing the pathauto.admin.delete route. The tests and the description for the administer pathauto permission have also been updated to reflect the changes.

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update 8 months ago
    48 pass
  • Comment 8 months ago
    🇫🇮Finland Alexander Tallqvist

    I discussed the implemented changes with a colleague and ended up modifying the merge request a bit. The route pathauto.bulk.update.form now required either the administer pathauto OR the bulk update aliases permission, and the route pathauto.admin.delete route requires either the administer pathauto OR the bulk delete aliases permission. This is because the administer pathauto permission indicates that a users should have access to everything pathauto related. The description for the administer pathauto permission has also been updated to reflect these changes.

  • Status changed to RTBC 8 months ago
  • Comment 8 months ago
    🇫🇮Finland tormu

    Tested with the usual case in mind, being "I want to give my client the ability to create new path aliases but not give them anything related to pathauto, including bulk delete stuff"

    Given the permissions as per attachment, the user with Content editor role now only sees the alias addition functionality in /admin/config/search/path - the "Bulk generate" and "Delete aliases" tabs are no longer there.
    So works as I was hoping it to.

    "Administer pathauto" or correct one of the new two permissions is now required to access those aforementioned two tabs.

    PS. Only tested the functionality from Drupal UI using DrupalPod, did not review code.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024