Implement Access Policy for Managed Roles

Created on 23 September 2024, 10 months ago

Problem/Motivation

The farm_role module is responsible for our concept of "managed roles" - which are special roles that automatically receive sets of farmOS permissions based on various rules. Before farmOS 3.3.0 this was accomplished by overriding the storage handler class for the user_role entity and calling our custom logic inside isPermissionInRoles(). See: #3151242: [META] farmOS 2.x Managed Roles β†’

Drupal 10.3 implemented a new "Access Policy API" ( πŸ“Œ Implement the new access policy API Needs work ), which refactored the way that Drupal core checks if a permission is in a role. It no longer uses RoleStorage::isPermissionInRoles(), and instead uses UserRolesAccessPolicy::calculatePermissions(). This meant that our managed permissions were no longer being applied (in most contexts...). So we refactored farm_role to override the new permission_checker service, instead (see [#3348054]).

However, in the process of testing ahead of the farmOS 3.3.0 release (which include these updates), we discovered that managed role permissions were not being applied in OAuth2 API requests, because the simple_oauth module still uses RoleStorage::isPermissionInRoles().

We explored multiple approaches (including overriding the Role entity class itself with our own hasPermission() and getPermissions() methods), but ultimately decided to keep BOTH our new permission_checker override class (for Drupal core access checking) AND our Role storage handler override class (for OAuth2 API access checking), and make a plan for next steps.

That's what this issue is for.

Proposed resolution

We decided that the "correct" approach would be to:

  1. refactor farm_role to implement an access policy for adding managed role permissions, and
  2. refactor simple_oauth to use access policies instead of RoleStorage::isPermissionInRoles()

Remaining tasks

TBD

User interface changes

None.

API changes

None.

Data model changes

None.

πŸ“Œ Task
Status

Active

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States m.stenta

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024