UserPermissionsForm should filter authenticated user permissions from other roles on save

Open on Drupal.org →

Created on 25 January 2024, about 1 year ago

Problem/Motivation

UserPermissionsForm has clientside JS to demonstrate to the user that when a permission is checked for "authenticated user", it also applies to all logged in roles.

However, this is not handled separately on save, so redundant permissions can be saved to roles.

Steps to reproduce

Install with the Standard profile.
Export role config and note that "content editor" has "access contextual links" permission.
At /admin/people/permissions grant "access contextual links" to "authenticated user".
Export role config again; "authenticated user" has "access contextual links", but so does "content editor", and this is redundant.

Proposed resolution

Filter authenticated user permissions from other logged-in roles on save.

Merge request link

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

📌 Task

Status

Needs work

Version

11.0 🔥

Component

User system →

Last updated 1 day ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇬🇧United Kingdom longwave UK

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

!6322UserPermissionsForm should filter authenticated user permissions from other roles on save
Open
🇬🇧United Kingdom longwave
updated about 1 year ago

Comments & Activities

Issue created by @longwave
Comment about 1 year ago →
🇬🇧United Kingdom longwave UK
Comment about 1 year ago →
🇬🇧United Kingdom longwave UK
Not entirely sure this is the desired behaviour, as currently you can untick "authenticated user" again and the permissions apply to the original roles again, but it does clean up role storage (and dependencies) a bit on complex sites with many roles and permissions in play.
Merge request !6322Revoke permissions from other roles when authenticated user is granted them. → (Open) created by longwave
Status changed to Needs review about 1 year ago2:21pm 25 January 2024
Status changed to Needs work about 1 year ago3:17pm 25 January 2024
Comment about 1 year ago →
🇺🇸United States smustgrave
Even though it's a task could we get test coverage.

The idea makes sense though, least to me. Probably would of helped some during the D9->D10 jump when having to fix bad permissions. Had to manually open the yml files to find the permission.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024