Contrib.social

Use Entity API query access handler to filter entity queries based on user permissions

Open on Drupal.org β†’
Created on 8 January 2024, 6 months ago
Updated 24 January 2024, 5 months ago

Problem/Motivation

Currently our farm record views pages for assets/logs/plans/quantities/etc all require the highest level view any {entity_type} permission. This prevents users that only have permission to view a single bundle view any land asset or view their own authored bundle view own land asset from being able to view the standard record pages of farm assets.

It would be a nice feature to allow these restricted permissions access to still see the general record views pages, but within the view filter out the individual entities that the user does not have access to. This sounds like a lot of work, but thankfully I think most of the work has been done for us!

First, we can leverage the new collection_permission available with Drupal 10.2: https://www.drupal.org/node/2955178 β†’ to allow more access to our record views instead of view any {entity_type}. Nearly all users can be expected to have this permission and many of our views can be updated to use this permission. The entity module has already been providing an access asset overview "Access the asset overview page" permission that could work as this "collection permission". But I propose we create a new permission access {entity_type} collection: the "collection permission" is more general could be used for things other than just an "overview page".

Then to filter to proper access within our record views we can use the query_access handler provided by the entity module: https://www.drupal.org/node/2955178 β†’ . This will alter all entity and views queries to respect the bundle and owner permissions provided by the entity module.

Steps to reproduce

N/A

Proposed resolution

- Add a collection permission access {entity_type} collection
- Implement the entity module query access handler

Remaining tasks

Implement, test.

Also implement for log module: πŸ› Use Entity API query_access handler Needs review

User interface changes

Records pages accessible by users with more granular view permissions.

API changes

Entity queries will have added query access logic.

Data model changes

None

✨ Feature request
Status

Postponed

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States paul121 Spokane, WA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @paul121
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    Last week I opened #3415653: [META] Allow more granular access on default farmOS Views β†’ , having forgotten that @paul121 already opened this one. I closed mine as a duplicate, but now that I think about it, we may want to have both of them. This one is suggesting a specific solution to the problem, but in chat there were some other solutions proposed, both short term and long term. They have advantages and disadvantages, so I'm going to reopen my issue and repurpose it as a [META] issue to document all of the possibilities. This one can be a feature request specifically for the "query access handler" approach. I will tweak the title of this to make that more explicit, and make this a child of the [META] issue.

    @paul121 if I've misrepresented anything please feel free to adjust! I will document some of our recent discussions in the [META] issue comments.

  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    I propose we create a new permission access {entity_type} collection

    Important note about the backwards compatibility considerations of this:

    In discussing this further, we realized that changing the permission on Views may actually be a breaking change, though. If any downstream users have created roles that grant the view any {entity_type} permission in order to see the default Views, and we start requiring a different permission (access {entity_type} collection), users with those roles won't be able to see the default Views.

    To address this, we could consider adding an update hook that automatically adds the access {entity_type} collection permission(s) to any roles that have the corresponding view any {entity_type} permission(s). I *think* that would be safe, but we should give that some dedicated thought.

    From https://www.drupal.org/project/farm/issues/3415653#comment-15411481 β†’

  • Merge request !81Issue #3413263: Use Entity API query access handler to filter entity queries... β†’ (Open) created by m.stenta
  • Status changed to Needs review 5 months ago
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    Started a 3.x-query-access-handler branch and pushed to a new issue fork: https://git.drupalcode.org/issue/farm-3413263/-/compare/3.x...3.x-query-...

    We still need to add the new permissions, with an update hook to add them to roles, etc. I wonder if we should tackle that in a separate PR and leave this just focused on enabling the query access handler?

  • Status changed to Postponed 5 months ago
  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    Actually we should do this at the same time as the Log module (see πŸ› Use Entity API query_access handler Needs review ), and make sure we use the new version, so that all our entities get the access checking together.

    Postponing this. Let's get it merged in Log first, then include a composer.json change to bump the drupal/log version constraint accordingly in this branch.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024