- Issue created by @ajits
- Merge request !25Issue #3400833: Block list do not display per bundle permissions → (Open) created by ajits
- last update
about 1 year ago 16 pass, 5 fail - Status changed to Needs review
about 1 year ago 1:57pm 10 November 2023 - 🇮🇳India ajits India
Created an MR with a possible fix. Please note that it does not handle all the cases it should be considered as a starting point.
- 🇺🇸United States mark_fullmer Tucson
This change makes sense to me: Drupal core block permissions should take precedence on which blocks are available in the Layout Builder listing for Inline Blocks, before Layout Builder Restrictions' apply their own limitations.
I'd like to think about this a little further to make sure this doesn't introduce any problematic behavior regarding access, but I support this approach in principle.
- Status changed to Postponed
about 1 year ago 10:30pm 1 December 2023 - 🇺🇸United States mark_fullmer Tucson
After reviewing the Drupal core issue for making more granular permissions for creating/editing blocks in the context of Layout Builder 📌 Adjust Layout Builder permission checking for inline blocks once more granular block permissions exist Needs work , I am not convinced that this module, Layout Builder Restrictions, should preemptively enforce restrictions based on the newly available Drupal block type restrictions.
Rationale:
1. Currently, Layout Builder provides the single "create and edit custom blocks" permission, which **must** be granted for a user to create or edit any blocks in the Layout Builder context.
2. If Layout Builder Restrictions were to add per-block-type permission checks, users would need to have "create and edit custom blocks" permissions AS WELL AS the permission to edit the specific block type(s). This seems like this would be silently enforcing a permissions scheme that is not in Drupal core itself, one which is different from the restrictions scheme provided by configuration in this module.Given this, at this point in time, I think it is best for the restrictions that this module enforces to be limited to what is configured through its interface. Potentially the attached patch could be a way for sites to opt into this as early-adopters, if they desire. If and when Drupal core's Layout Builder switches to a per-block-permission for the context of Layout Builder, this module can follow suit.
Leaving the module's design as-is right now does not expose any *more* permission/capability for editing blocks in Layout Builder than Drupal core's permissions do. A user that does not have the "create and edit custom blocks" permission will not be able to do anything they shouldn't be able to do when Layout Builder Restrictions is installed. In other words, there is no reason, from a security standpoint, that this module needs to address the granular block permissions at this time.
With all that said, preparing for an eventual future where we may want to check individual block permissions in this module, I've added a patch that checks for the "create" permission, along with test coverage.
Marking this as "Postponed" until 📌 Adjust Layout Builder permission checking for inline blocks once more granular block permissions exist Needs work has more clear direction.
- 🇺🇸United States mark_fullmer Tucson
Changing the issue title, and the category to "Feature request," as this is not a bug with this module or Drupal core, but rather a request for the ability to have more granular block permissions in the Layout Builder context.
- 🇺🇸United States mark_fullmer Tucson
Relatedly, it may be worth looking at https://www.drupal.org/project/layout_builder_restrictions_by_role → as a way of having more control, related to permissions and roles.