Contrib.social

Add dedicated permission for tools

Open on Drupal.org →
Created on 20 November 2024, 8 months ago

Problem/Motivation

Currently all the tools use the generic permission check 'administer site configuration'.
However, this is a pretty broad permission, which does not allow for fine grained access control.
For example we would consider giving this permission to clients, but would not want the extra tools provided by this module to be accessible by the same clients.

Proposed resolution

Provide a module-specific permission to access tools.

Remaining tasks

- Add a module-specific permission
- Provide upgrade path

Feature request
Status

Active

Version

1.0

Component

Code

Created by

🇧🇪Belgium svendecabooter Gent

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @svendecabooter
  • Merge request !17Resolve #3488541 "Add dedicated permission" → (Merged) created by svendecabooter
  • Comment 8 months ago
    🇧🇪Belgium svendecabooter Gent

    Created MR to add this functionality.
    Attached is a patch file for composer based patching workflow.

  • Pipeline finished with Success
    8 months ago
    Total: 212s
    #344332
  • Comment 8 months ago
    🇧🇪Belgium svendecabooter Gent

    Updated patch file.

  • Pipeline finished with Success
    8 months ago
    Total: 179s
    #344334
  • Comment 8 months ago
    🇮🇪Ireland lostcarpark

    Thanks for working on this. It looks great. I just wonder should we be making the permissions more granular, so that users could be given access to some functions but not all?

  • Pipeline finished with Success
    7 months ago
    Total: 259s
    #357456
  • Comment 7 months ago
    🇧🇪Belgium svendecabooter Gent

    I have updated the MR with split permissions.
    Through permissions you can now decide whether to give a user access to:
    - clear caches
    - run cron
    - run updates (no extra permission added for this, since it is managed by core routing)

    I don't think individual cache flush actions don't need their own specific permissions?

    I have also added a specific `/admin/tools` route that just lists the children menu items. This is so the "Tools" heading in the navigation bar points to that page, instead of the frontpage. This also avoids the "Tools" menu being shown in the navigation toolbar, when a user does not have any of the new permissions assigned to them.

    Attached also a .patch version of the full MR, for composer patch workflows.

  • Status changed to Needs review 5 months ago
  • Comment 5 months ago
    🇧🇪Belgium svendecabooter Gent

    Any chance to get this reviewed?

  • Comment 5 months ago
    🇮🇪Ireland lostcarpark

    Sorry, will get reviewed today.

  • Comment 4 months ago
    🇮🇪Ireland lostcarpark

    I've done some manual testing and this looks good to me.

  • Comment 4 months ago
    🇮🇪Ireland lostcarpark
  • Comment 4 months ago
    🇮🇪Ireland lostcarpark

    Rebased to 1.1.x.

  • Comment 4 months ago
    System Message
  • Comment 4 months ago
    🇮🇪Ireland lostcarpark

    Merged into 1.1 branch. I will get a release out soon.

  • Comment 4 months ago
    🇫🇷France Grimreaper France 🇫🇷

    Hello,

    In the update hook:

        if ($role->hasPermission('administer site configuration')) {
      $role->grantPermission('access navigation extra tools')->save();
    }

    The permission "access navigation extra tools" does not exist.

    The introduced permissions are:
    - access navigation extra tools cache flushing
    - access navigation extra tools cron

  • Comment 4 months ago
    🇮🇪Ireland lostcarpark

    Thanks. I missed that, and somehow didn't notice there was an update hook.
    I'll revise the hook to add the new permissions, though I'm in two minds about whether an update hook is needed at all. Will make sure to include in release notes so admins can adjust their permissions if required.
    As a side note, I'm switching to object oriented hooks, but as far as I know, update hooks have to remain procedural (for now).

  • Merge request !23Fixes for permission issues. → (Merged) created by lostcarpark
  • Comment 4 months ago
    🇮🇪Ireland lostcarpark

    I've fixed the issue with the invalid permission being added.

    I also noticed that the permission for the Tools menu was only the module's own permissions, but that wouldn't allow access to other functions such as run database updates, or devel menu options. I'm also aiming to have other options under the tools menu if other modules are enabled in future. For now I'm making the Tools menu available to anyone with access navigation permission. We can look at tightening that up in a follow up issue.

    Also some improvements to tests.

  • Comment 4 months ago
    🇫🇷France Grimreaper France 🇫🇷

    Hello,

    MR 23 is ok for me.

  • Comment 4 months ago
    🇮🇪Ireland lostcarpark

    Merged !23.

  • Comment 4 months ago
    🇧🇪Belgium svendecabooter Gent

    Thanks for the followup, and sorry for the wrong permission logic.

  • Comment 3 months ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024