Contrib.social

Implement Access Policy for Managed Roles

Open on Drupal.org β†’
Created on 23 September 2024, 3 months ago

Problem/Motivation

The farm_role module is responsible for our concept of "managed roles" - which are special roles that automatically receive sets of farmOS permissions based on various rules. Before farmOS 3.3.0 this was accomplished by overriding the storage handler class for the user_role entity and calling our custom logic inside isPermissionInRoles(). See: #3151242: [META] farmOS 2.x Managed Roles β†’

Drupal 10.3 implemented a new "Access Policy API" ( πŸ“Œ Implement the new access policy API Needs work ), which refactored the way that Drupal core checks if a permission is in a role. It no longer uses RoleStorage::isPermissionInRoles(), and instead uses UserRolesAccessPolicy::calculatePermissions(). This meant that our managed permissions were no longer being applied (in most contexts...). So we refactored farm_role to override the new permission_checker service, instead (see [#3348054]).

However, in the process of testing ahead of the farmOS 3.3.0 release (which include these updates), we discovered that managed role permissions were not being applied in OAuth2 API requests, because the simple_oauth module still uses RoleStorage::isPermissionInRoles().

We explored multiple approaches (including overriding the Role entity class itself with our own hasPermission() and getPermissions() methods), but ultimately decided to keep BOTH our new permission_checker override class (for Drupal core access checking) AND our Role storage handler override class (for OAuth2 API access checking), and make a plan for next steps.

That's what this issue is for.

Proposed resolution

We decided that the "correct" approach would be to:

  1. refactor farm_role to implement an access policy for adding managed role permissions, and
  2. refactor simple_oauth to use access policies instead of RoleStorage::isPermissionInRoles()

Remaining tasks

TBD

User interface changes

None.

API changes

None.

Data model changes

None.

πŸ“Œ Task
Status

Active

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States m.stenta

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @m.stenta
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    refactor simple_oauth to use access policies instead of RoleStorage::isPermissionInRoles()

    The maintainers of simple_oauth may already be thinking ahead to using access policies, so we should coordinate with them to see if there are any plans developing already. We may also have to live with a patch or override for a bit, if they need to support Drupal 10.2 or earlier (before access policies were implemented).

    Maybe the first place to look is \Drupal\simple_oauth\Authentication\TokenAuthUser::hasPermission(), which ultimately delegates down to \Drupal\simple_oauth\Oauth2ScopeProvider::scopeHasPermission(), which is where the module is currently checking RoleStorage::isPermissionInRoles().

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    However, in the process of testing ahead of the farmOS 3.3.0 release (which include these updates), we discovered that managed role permissions were not being applied in OAuth2 API requests

    We also need to add some basic tests of the farmOS API using OAuth2. Our current tests did not catch this issue. This would be a good time to add those tests.

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    For what it's worth, I also opened a core issue suggesting that RoleStorage::isPermissionInRoles() be deprecated: πŸ“Œ Deprecate RoleStorage::isPermissionInRoles() Active

  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024