Contrib.social

Toggl access control per model and per action

Open on Drupal.org →
Created on 22 May 2024, 12 months ago

Problem/Motivation

By default, ECA processes models in the context of the current user. Each action can perform an access control and refuse to process that action, if the current user doesn't have the required permission.

If processing needs to be enforced, even if the current user doesn't have all the permissions, ECA provides 2 options:

  • Use the "Switch current user" action, to temporarily change the context to another user with the appropriate permissions.
  • Globally change the ECA settings to always process models in the context of a specific configured user account.

The first option is sometimes perceived as too cumbersome, and users don't like it if they have to add that extra action almost everywhere.

The second option has the downside, that it is global and models that will be shared with other Drupal sites may behave differently depending upon that setting.

Proposed resolution

Let's add 2 more options in addition to what we already have:

  • A property for each model to turn off access checks for all action with just for that model.
  • A property for each action to turn off access check just for that action.
Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇩🇪Germany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @jurgenhaas
  • Comment 12 months ago
    🇩🇪Germany mxh Offenburg

    How do you want to turn off access checks? It's worth noting that current implementations of the access method of most ECA-related action plugins are not only performing access checks, but also validations, as can be seen in the commits of 📌 Enhance (or add) access control in plugins where required config fields support tokens Active . If we'd want to be able to optionally turn off access checks, I currently see two options:

    1. Refactor all access method implementations, so that the access methods exclusively contain access checks (probably mostly permission or role-based checks) and put any other logic such as validation and appliance checks into separate method(s)
    2. Skip all permission/role-bases access checks within the access method implementations e.g. with wrapped if statements that check whether access checks are enabled/disabled.
  • Comment 12 months ago
    🇩🇪Germany jurgenhaas Gottmadingen

    This is a great observation, thanks @mxh

    What we currently have, are 2 components in access checks:

    • Permission checks
    • Validation checks

    Each action can have none, one, or all those components in the access method. Also, worth noting that the execute method sometimes also does the validation again.

    So, what we optionally want to turn off, is just the permission check. And that does require a refactor of action plugins in any case. In other words, if access check is turned off, we still wish to refuse execution if the configuration is not valid.

    An approach without re-factoring could be to switch to user 1 or an admin user right before calling the access method, and switching back right afterwards. But the privileges of user 1 may be turned off (new feature in core) or no admin role may exist. Maybe the new permission API could be helpful instead?

  • Comment 11 months ago
    🇩🇪Germany jurgenhaas Gottmadingen
  • Comment 21 days ago
    🇩🇪Germany marco.b

    The feature in core (since 10.1) that the privileges of user 1 may be turned off argues against using "switch to user 1." However, since this ECA option is already available in the settings and as a single action, there would be nothing wrong with offering it as a per-model option, unless there are more robust options (as outlined above), right?

    Any new insights on this issue? I've been using the "Execute models with user" setting by default, and a per-model setting would be very helpful.

  • Comment 17 days ago
    🇩🇪Germany jurgenhaas Gottmadingen

    @marco.b a lot has changed since we last discussed this topic around a year ago. Executing ECA generally as a given user in the global settings really turned out to be a bad idea. With or without the changes to the user 1 in Drupal core, one can still have a user with all permissions, which would almost work like the legacy user 1, but for many ECA scenarios, this is hitting back badly, especially because access control is no longer usable in ECA models in that case.

    The alternative approach to using the User: switch current account action is much better as it keeps all the flexibility and doesn't come with access control limitations. However, it's cumbersome to add this action often, and it makes it difficult to share models between sites because the privileged user ID may be different on all those sites.

    Therefore, we've introduced the User: switch to service user action, which switches to a privileged user account that needs to be configured on each site in the setting.

    The next improvement will come with 📌 Separate access and executable checks and make access completely optional Active where access control will then be possible to turn off on a per model basis.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024