Restrict block access by new Block bundle permissions

Created on 10 November 2023, about 1 year ago
Updated 16 May 2024, 7 months ago

Problem/Motivation

With Drupal 10.1 there are now permissions added for each block type → . However, the layout builder does not support the permission yet. The core issue 📌 Adjust Layout Builder permission checking for inline blocks once more granular block permissions exist Needs work is in progress.

Even with the core limiting the number of block types displayed in LB, this module will create a fresh list of block types.

Steps to reproduce

  • Install Drupal 10.1
  • Add some custom block types.
  • Provide permission of these block types to some role.
  • Login as a user who does not have access to all (add/edit/administer) block types.
  • Add a node that has LB enabled.
  • On the layout tab add a section and click on "Add custom block"

All block types are listed.

Blocks types allowed by the current user are displayed.

Proposed resolution

Consider "Create/Edit" permissions per block type.

Remaining tasks

Finalize the approach and implement a fix.

User interface changes

TBD

API changes

TBD

Data model changes

None.

✨ Feature request
Status

Postponed

Version

3.0

Component

Code

Created by

🇮🇳India ajits India

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @ajits
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MariaDB 10.3.22
    last update about 1 year ago
    16 pass, 5 fail
  • Status changed to Needs review about 1 year ago
  • 🇮🇳India ajits India

    Created an MR with a possible fix. Please note that it does not handle all the cases it should be considered as a starting point.

  • 🇮🇳India ajits India
  • 🇮🇳India ajits India
  • 🇺🇸United States mark_fullmer Tucson

    This change makes sense to me: Drupal core block permissions should take precedence on which blocks are available in the Layout Builder listing for Inline Blocks, before Layout Builder Restrictions' apply their own limitations.

    I'd like to think about this a little further to make sure this doesn't introduce any problematic behavior regarding access, but I support this approach in principle.

  • Status changed to Postponed about 1 year ago
  • 🇺🇸United States mark_fullmer Tucson

    After reviewing the Drupal core issue for making more granular permissions for creating/editing blocks in the context of Layout Builder 📌 Adjust Layout Builder permission checking for inline blocks once more granular block permissions exist Needs work , I am not convinced that this module, Layout Builder Restrictions, should preemptively enforce restrictions based on the newly available Drupal block type restrictions.

    Rationale:
    1. Currently, Layout Builder provides the single "create and edit custom blocks" permission, which **must** be granted for a user to create or edit any blocks in the Layout Builder context.
    2. If Layout Builder Restrictions were to add per-block-type permission checks, users would need to have "create and edit custom blocks" permissions AS WELL AS the permission to edit the specific block type(s). This seems like this would be silently enforcing a permissions scheme that is not in Drupal core itself, one which is different from the restrictions scheme provided by configuration in this module.

    Given this, at this point in time, I think it is best for the restrictions that this module enforces to be limited to what is configured through its interface. Potentially the attached patch could be a way for sites to opt into this as early-adopters, if they desire. If and when Drupal core's Layout Builder switches to a per-block-permission for the context of Layout Builder, this module can follow suit.

    Leaving the module's design as-is right now does not expose any *more* permission/capability for editing blocks in Layout Builder than Drupal core's permissions do. A user that does not have the "create and edit custom blocks" permission will not be able to do anything they shouldn't be able to do when Layout Builder Restrictions is installed. In other words, there is no reason, from a security standpoint, that this module needs to address the granular block permissions at this time.

    With all that said, preparing for an eventual future where we may want to check individual block permissions in this module, I've added a patch that checks for the "create" permission, along with test coverage.

    Marking this as "Postponed" until 📌 Adjust Layout Builder permission checking for inline blocks once more granular block permissions exist Needs work has more clear direction.

  • 🇺🇸United States mark_fullmer Tucson

    Changing the issue title, and the category to "Feature request," as this is not a bug with this module or Drupal core, but rather a request for the ability to have more granular block permissions in the Layout Builder context.

  • 🇺🇸United States mark_fullmer Tucson

    Relatedly, it may be worth looking at https://www.drupal.org/project/layout_builder_restrictions_by_role → as a way of having more control, related to permissions and roles.

  • 🇺🇸United States mark_fullmer Tucson
Production build 0.71.5 2024