Restrict who can "Rebuild permissions" to users with the "administer site configuration" permission

Created on 31 January 2024, over 1 year ago

Problem/Motivation

Given the need of the Node Access Rebuild Progressive β†’ module existing, you might not want any users with access to the admin (e.g. normal content users), to be able to trigger a rebuild and potentially take the site content offline whilst its rebuilding.

So would rather have that left for a user with a higher administrative or more specific permission.

Proposed resolution

Restrict access to users with the administer site configuration permission rather than access administration pages.

Merge request link

Remaining tasks

Provide issue fork/patch.

User interface changes

N/A

Release notes snippet

TBD.

πŸ“Œ Task
Status

Active

Version

10.1 ✨

Component
Node systemΒ  β†’

Last updated 1 day ago

No maintainer
Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @codebymikey
  • Attached a patch supporting Drupal 10.0.x.

  • codebymikey β†’ changed the visibility of the branch 3418353-restrict-who-can to hidden.

  • Pipeline finished with Success
    about 1 year ago
    Total: 532s
    #187460
  • Status changed to Needs work 3 months ago
  • πŸ‡¦πŸ‡ΊAustralia acbramley

    This would need an upgrade path to add the new permission to any role that has administer nodes so there's no access regression for existing sites. Also needs a reroll.

  • First commit to issue fork.
  • Pipeline finished with Failed
    2 months ago
    Total: 602s
    #473290
  • πŸ‡ΊπŸ‡¦Ukraine quadrexdev Lutsk

    Updated the issue branch with changes from 11.x, added post_update hook to grant the new permission

    The errors in the pipeline look to be unrelated to this issue, so I would assume MR could be reviewed now

  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    I'm 50/50 that we should add test coverage for the update hook. We add coverage for most update hooks but this one is pretty simple.

    But moving to NW as this would be a new permission to be declared.

  • Pipeline finished with Failed
    2 months ago
    Total: 148s
    #475115
  • Pipeline finished with Success
    2 months ago
    Total: 384s
    #475170
  • πŸ‡ΊπŸ‡¦Ukraine quadrexdev Lutsk

    Thanks for the feedback, @smustgrave

    I added a simple test to verify that the new permission is added by the post update hook, just in case

  • πŸ‡¦πŸ‡ΊAustralia acbramley

    CR added, I'm not sure if we also need a presave hook here for exported config in modules/profiles

  • Pipeline finished with Success
    about 2 months ago
    Total: 613s
    #483411
  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    All feedback for this one appears to be addressed!

  • πŸ‡¬πŸ‡§United Kingdom catch

    The title doesn't match either the issue summary or the MR. Also I'm not entirely sure why that option wasn't taken - e.g. requiring both 'administer site configuration' and 'administer nodes' at the same time.

  • πŸ‡¦πŸ‡ΊAustralia acbramley

    Updated title. I think a new permission is the best approach here, if we used administer site configuration we'd still need an upgrade path.

    Keeping at NW because I think we do need the ConfigUpdater dance here in a presave hook

  • Pipeline finished with Failed
    about 2 months ago
    Total: 700s
    #485302
  • πŸ‡¦πŸ‡ΊAustralia acbramley

    Added the presave hook but debugging locally and it doesn't fire during the post update...

  • Pipeline finished with Failed
    about 2 months ago
    #485315
  • πŸ‡¦πŸ‡ΊAustralia acbramley

    After all that I'm actually unsure how we should do this. With this presave hook it's impossible now to save a role with administer nodes and without rebuild node access permissions...

    Throwing a deprecation didn't feel right either because it's a valid case to have one permission without the other, but we need to be able to notify modules with exported config.

    @catch any ideas?

  • Pipeline finished with Success
    about 2 months ago
    Total: 743s
    #485347
  • πŸ‡¬πŸ‡§United Kingdom catch

    I don't really count roles as exported config to be shipped with modules to be honest, it's pretty rare in general. So in the case I think it's fine to skip the presave. It's not like we're renaming a permission, exported roles will be validz they just might not cover this permission.

  • πŸ‡¦πŸ‡ΊAustralia acbramley

    Perfect, in that case I've reverted all the presave code.

  • Pipeline finished with Success
    about 2 months ago
    Total: 1191s
    #486237
  • πŸ‡©πŸ‡°Denmark ressa Copenhagen

    Working on https://www.drupal.org/community/contributor-guide/reference-information... β†’ I tried the patch here, which is used as an example.

    I then looked for "Rebuild node access permissions" in the user interface at /admin/people/permissions, but then realized that it is called "Rebuild content access permissions" ...

    Should it perhaps be one or the other both places, for consistency?

  • Status changed to RTBC 4 days ago
  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Updated the CR for 11.3

    Applied one suggestion to the MR as I saw recently there's a push to not have assertion messages.

    Everything else seems fine. Update hook runs without issue.

  • Pipeline finished with Success
    4 days ago
    Total: 611s
    #526506
  • πŸ‡ΊπŸ‡ΈUnited States benjifisher Boston area

    I did not notice this issue before today, or I would have commented earlier.

    I am not sure that we should add a new permission for rebuilding permissions.

    First, the administer nodes permission is already marked as restricted. It should not be granted to "normal mid-level content users" (to use the phrase from the issue summary). Instead of introducing a new, restricted permission I think we should encourage site owners to be more careful about granting the existing one.

    Along with https://www.drupal.org/sa-core-2025-002 β†’ , I released the Granular Node Permissions β†’ module. That provides permissions suitable for less-privileged roles, so that common tasks can be done without the administer nodes permission. There is also an issue to add one of those permissions to core: ✨ Publish nodes permission Postponed: needs info . The goals of the contrib module and the core issue are the same: make it easier to get work done without the restricted permission, so that site owners can be more stingy about granting it.

  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Should we put back into review ?

  • I think having a granular permission makes sense in this case. Mainly for the reason that the administer node permission is typically used in relation to regular node entity operations, and flagging that the user is allowed to make those changes to the node without needing a specific permission for the bundle or field.

    My current use case is for a "site admin" role that can essentially do most of the same actions as a regular admin as far as nodes are concerned (apart from rebuilding access), such as view and edit nodes of all bundle types without needing to be explicitly granted permission every time a new one is introduced, the current administer nodes is also currently used for other functionality like views and potentially in other contrib modules, that make use of the permission, so trying to move to the contrib solution probably wouldn't work for me here.

    The rebuilding node action seems like a special operation that doesn't necessarily need to be linked to administer node permission, same as the current bypass node access permission.

  • πŸ‡¦πŸ‡ΊAustralia acbramley

    I agree with @codebymikey, it seems strange to want more granularity to control specific options on a node but not to detach the rebuilding of permissions from administer nodes.

Production build 0.71.5 2024