Contrib.social

Add dblog-specific permissions to control access to dblog routes

Open on Drupal.org β†’
Created on 12 December 2024, 4 months ago

Problem/Motivation

While creating reports for some of the users on one of the sites I'm currently working on, I realized that they should be reachable from the Reports menu, not the Content menu, which is where we've been putting our custom reports up to this point.

When I masqueraded as one of the users (a non-admin user) who would access these reports, I found that some dblog reports were still visible in the menu. This led me to find that the dblog reports' permissions are based on the 'access site reports' permission, which is the same permission used to grant access to the Reports menu item (specifically the system.admin_reports route in web/core/modules/system/system.routing.yml).

There should be a permission specific to the dblog module that grants access to dblog-related reports to prevent users who shouldn't see these reports from being able to see them.

Proposed resolution

I propose the following changes:

  • Add an 'access dblog reports' permission
  • Change the permission requirement on all dblog routes from 'access site reports' to 'access dblog reports'

Remaining tasks

  • Write tests to ensure the 'access dblog reports' permission works as intended.

User interface changes

Users with the 'access site reports' permission but without the 'access dblog reports' permission will no longer be able to access dblog reports. Users who should be able to access these reports will need the 'access dblog reports' permission added to at least one of their assigned roles.

Introduced terminology

None.

API changes

None.

Data model changes

None.

Release notes snippet

  • Added the 'access dblog reports' permission to control access to dblog routes.
  • Updated dblog routes to use the 'access dblog reports' permission.
✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component

dblog.module

Created by

πŸ‡ΊπŸ‡ΈUnited States jsutta United States

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @jsutta
  • Merge request !10537Add dblog-specific permissions to control access to dblog routes β†’ (Open) created by jsutta
  • Pipeline finished with Failed
    4 months ago
    Total: 556s
    #366742
  • Pipeline finished with Failed
    4 months ago
    Total: 140s
    #366983
  • Pipeline finished with Failed
    4 months ago
    Total: 460s
    #366991
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States

    Adding a patch for 10.3.x (that's our current branch) in case anyone else can use it.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States

    Updated the patch as I missed a couple uses of the 'access site reports' permission.

  • Pipeline finished with Failed
    4 months ago
    Total: 467s
    #367723
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States

    One more new version of the patch. I forgot to add dblog.permissions.yml to the previous versions.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    So I wonder if we will need an upgrade hook for the view change, maybe not though since we aren't removing a permission.

    The update hook will need test coverage though.

    Probably need to expand on the existing tests too that if I have 'access site reports' then I can't access the logs
    And other side if I have 'access dblogs reports' then I can still get to the "Reports" tab but it only contains the one link

    Appears to have test failures also.

  • Pipeline finished with Failed
    2 months ago
    Total: 146s
    #417153
  • Pipeline finished with Failed
    25 days ago
    Total: 122s
    #450650
  • Pipeline finished with Failed
    25 days ago
    Total: 129s
    #450680
  • Pipeline finished with Failed
    25 days ago
    Total: 140s
    #450699
  • Issue was unassigned.
  • Status changed to Needs work 25 days ago
  • Comment 25 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States

    @smustgrave Thank you for the suggestions and I apologize it took me so long to circle back to this.

    Here's a summary of the latest changes:

    • Added an update hook to update the Watchdog view if it uses the default permissions (I assume we want to leave it alone if the site owner has customized it).
    • Added test coverage for the update hook (the test coverage checks the permission on the Watchdog view before and after the update).
    • Added test coverage to check if a user with the 'access site reports' permission can see the Reports menu item in the admin toolbar.
    • Added test coverage to check if a user with the 'access dblog reports' permission can access the Recent log messages page.

    This is the first time I've written these types of tests, so please double-check them and let me know if anything is missing or incorrect.

    Also, I haven't addressed the test failures yet. I hope to do so within the next couple days.

  • Pipeline finished with Failed
    25 days ago
    #450712
  • Pipeline finished with Failed
    24 days ago
    Total: 604s
    #451190
  • Pipeline finished with Failed
    24 days ago
    Total: 531s
    #451208
  • Pipeline finished with Failed
    24 days ago
    Total: 174s
    #451324
  • Pipeline finished with Failed
    24 days ago
    Total: 134s
    #451335
  • Pipeline finished with Failed
    24 days ago
    Total: 159s
    #451334
  • Pipeline finished with Failed
    24 days ago
    Total: 406s
    #451354
  • Pipeline finished with Failed
    21 days ago
    Total: 612s
    #454614
  • Pipeline finished with Failed
    20 days ago
    Total: 206s
    #454686
  • Pipeline finished with Failed
    20 days ago
    #454689
  • Pipeline finished with Failed
    20 days ago
    Total: 636s
    #454695
  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States

    @smustgrave I finally got the tests completed and all are now passing. Would you take another look at it and let me know if any other changes need to be made?

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States
  • Comment 18 days ago β†’
    πŸ‡¦πŸ‡·Argentina dagmar Argentina

    @jsutta Thanks for the patch!

    There are a few files that are outside dblog but will need an upgrade as well:

    Here are a bunch of patters to check:

    rg 'dblog' | rg 'access site reports'

    modules/update/update.report.inc:  if (\Drupal::moduleHandler()->moduleExists('dblog') && \Drupal::currentUser()->hasPermission('access site reports')) {
modules/system/system.theme.inc:  if (\Drupal::moduleHandler()->moduleExists('dblog') && \Drupal::currentUser()->hasPermission('access site reports')) {
modules/ckeditor5/src/SmartDefaultSettings.php:      $can_access_dblog = ($this->currentUser->hasPermission('access site reports') && $this->moduleHandler->moduleExists('dblog'));
modules/locale/locale.batch.inc:      if (\Drupal::moduleHandler()->moduleExists('dblog') && \Drupal::currentUser()->hasPermission('access site reports')) {
modules/locale/locale.bulk.inc:        if (\Drupal::moduleHandler()->moduleExists('dblog') && \Drupal::currentUser()->hasPermission('access site reports')) {

    And the following files reference the dblog routing as well, so it may be worth to check the permissions there:

    lib/Drupal/Core/Routing/routing.api.php:1
modules/system/tests/src/Functional/Menu/BreadcrumbTest.php:1
modules/system/tests/src/Functional/File/FileSaveHtaccessLoggingTest.php:1
modules/system/tests/src/Functional/Pager/PagerTest.php:4
modules/migrate_drupal/tests/fixtures/drupal7.php:4
modules/search/tests/src/Functional/SearchNumberMatchingTest.php:1
modules/search/tests/src/Functional/SearchNumbersTest.php:1
modules/search/tests/src/Functional/SearchConfigSettingsFormTest.php:2
modules/user/tests/src/Functional/UserPermissionsTest.php:1
modules/filter/tests/src/Functional/FilterAdminTest.php:2
modules/contact/tests/src/Functional/ContactPersonalTest.php:1
modules/contact/tests/src/Functional/ContactSitewideTest.php:1
tests/fixtures/config_install/multilingual/views.view.watchdog.yml:2
modules/migrate_drupal_ui/tests/src/Functional/MigrateUpgradeExecuteTestBase.php:1
modules/file/tests/src/Functional/SaveUploadTest.php:1
modules/file/tests/src/Functional/SaveUploadFormTest.php:1
tests/Drupal/FunctionalTests/Theme/ClaroTest.php:1
  • Pipeline finished with Failed
    12 days ago
    Total: 591s
    #461006
  • Pipeline finished with Failed
    12 days ago
    Total: 491s
    #461021
  • Comment 12 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jsutta United States

    @dagmar Thank you for the catches! I've added the access dblog reports permission in the other locations where the access site reports was already being used, with one exception:

    In modules/migrate_drupal_ui/tests/src/Functional/MigrateUpgradeExecuteTestBase.php: The user in this test is the root user (uid 1), so should implicitly have all permissions. With that in mind there's no need to set the specific permission.

  • Pipeline finished with Failed
    12 days ago
    Total: 862s
    #461045
  • Comment 3 days ago β†’
    πŸ‡¦πŸ‡·Argentina dagmar Argentina

    Thanks @jsutta Please take a look to the rest of the failing tests in https://git.drupalcode.org/issue/drupal-3493583/-/pipelines/461051

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024