Contrib.social

Unable to require a scope for one application type but allow without scopes for another

Open on Drupal.org →
Created on 16 November 2023, about 1 year ago

Problem/Motivation

It's currently not possible to require a scope for one application type, while always allowing access for the other application type. This can occur for example if you want to limit access to a field on a user entity for applications that act on behalf of a user (e.g. an address or phone number) but expect that any bot integration (like a CRM system) will always be able to see that information.

Steps to reproduce

Create a field and add a allowUser() scope. This now prevents a bot user from accessing the field. However allowBot without any required scopes is not allowed.

Proposed resolution

Remove the required flag on the String! in allowBot and allowUser (we still require it in allowAll because otherwise you could remove that directive entirely). getRequiredScopes needs to differentiate between the directive being absent (returning NULL) and being present but empty (returning []) This will allow the code in Server::checkAccess to differentiate between these scenarios too and change the empty check to === NULL.

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

1.0

Component

Code

Created by

🇳🇱Netherlands kingdutch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024