Contrib.social

Add plugin definition properties for disabling access to a specific action

Open on Drupal.org →
Created on 14 August 2024, 3 months ago
Updated 15 August 2024, 3 months ago

Problem/Motivation

Access to actions are currently restricted on a per-entity basis.

This can lead to a potentially confusing UI where the action is available even though the user doesn't inherently have access to perform any of the actions.

An example of such an action is the user_cancel_user_action which should ideally only be visible to users with the cancel account permission.

Optional action-level access checks should be added which'll be used to determine when to show the action within the list of available actions, such that if the user is an admin with the cancel account permission, the action is available, and otherwise hidden.

Proposed resolution

This feature is available within Views Bulk Operations as part of #2896410: Port Action Permissions to Drupal 8 , we can use a similar approach where the action's definition can specify custom requirements for when it should be available.

Remaining tasks

  • Implement hook_action_info_alter() API documentation.
  • Update existing Action annotation properties to include the new requirements option.
  • Add tests

Release notes snippet

TBD

📌 Task
Status

Active

Version

11.0 🔥

Component
Action 

Last updated about 1 month ago

No maintainer
Created by

codebymikey

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @codebymikey
  • Comment 3 months ago
    🇫🇷France andypost

    There's special no_ui option already, are you gonna make it dynamic?

  • Comment 3 months ago
    codebymikey

    Hi Andrey, the idea is to have the actions hidden from the selection options only if the user doesn't have permission to use them in the first place. I believe no_ui would hide it for all users, and wouldn't want to change how that definition already works.

    My specific use case was related to the 🐛 Revision user incorrectly appears as anonymous user when node author is cancelled Needs work issue, and providing a way to stop the "Cancel the selected user accounts" action from being shown to the user unless they had the cancel account permission since it was confusing to have an action which they couldn't actually use.

    The addition of this requirements definition will help clean up the UI a bit more.

    My version of this was implemented via an alter hook:

    /**
 * Implements hook_action_info_alter().
 */
function mycustommodule_action_info_alter(array &$definitions) {
  $cancel_user_actions = [
    'user_cancel_user_action',
    'vbo_cancel_user_action',
  ];
  foreach ($cancel_user_actions as $cancel_user_action) {
    if (isset($definitions[$cancel_user_action])) {
      /* @see \Drupal\views_bulk_operations\Plugin\views\field\ViewsBulkOperationsBulkForm::getBulkOptions() */
      // Added as part of https://www.drupal.org/project/drupal/issues/3468097
      $definitions[$cancel_user_action]['requirements']['_permission'] = 'cancel account';
    }
  }
}

    P.S. We also don't have an hook_action_info_alter() API function for reference.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024