Contrib.social

Create a new editor flow that does not involve wizards or custom pages

Open on Drupal.org →
Created on 13 January 2025, 3 months ago

Problem/Motivation

The reason we have paths such as /group/{group}/content/add/{plugin_id} to add content to a group is because back when Group was developed for Drupal 8, there was no way to selectively hand out permissions. So we couldn't blanket grant someone permission to /node/add and then try to make it so they would only add nodes to their groups. A secondary problem was that we would need to know what Group entity they wanted to add the node to.

Fast-forward 7 years and we now have the Access Policy API in core. Which means we can completely get rid of the awkward wizards at the path mentioned above. Instead, we can now hand out the "create page content" permission only when the user is inside a certain Group context. While they are in said context and visit node/add/page, they will have access and the form will be modified to contain the required GroupRelationship fields (if any) and upon save, the node will be added to the Group.

Group context you say? Well, the idea is that we create a tiny module called group_context_select that, just like group_context_domain , only contains a context provider to provide a Group the user selected. This could be via dropdown in the admin bar or other means if necessary.

Once you select a group, the Group module will hand out the corresponding permissions in the Drupal scope to allow you to use the regular UI as if you were creating a node inside the whole website. The benefit is that you could easily swap out group_context_select for group_context_domain or any other context provider and everything would still work.

Remaining tasks

  • Create a mapper so that Group permissions can be turned into Drupal permissions
  • Create a context provider where the user can select a Group, criteria TBD (e.g. must have edit access). Do this as a submodule called group_context_select
  • Create a setting in the core Group module that requires a context for this editorial flow to work. Defaults to "Group from URL", but recommended to be set to something else.
  • Create an access policy IN A NEW SCOPE, that maps your Group permissions to Drupal permissions when a group context is detected.
  • Decorate the AccessPolicyProcessor to merge this new scope with the Drupal scope. Reason for this is that we might otherwise make your regular Drupal permissions uncacheable due to too many variations.
  • Show a warning on forms when a user has global node add rights and is in a group context where they can't add nodes, telling them the node will be created outside of the group.

User interface changes

Many, all of the custom routes and wizards we have now will go away.

API changes

None

Data model changes

None

📌 Task
Status

Active

Version

4.0

Component

Code

Created by

🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kristiaanvandeneynde
  • Comment 3 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium
  • Comment 3 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium
  • Comment 3 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

    We could also decorate the PermissionChecker service to merge the scopes. That might actually be more logical.

  • Comment 3 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

    Giving this some more thought and it would mainly affect creation. For that to be possible we need to answer two questions:

    1. What group?
    2. Which plugin?

    We can answer question 1 by using a context provider, one of which could be a selector. Question 2 can be answered if we introduce new logic where only one plugin can leverage entity_access over a particular bundle (or entity type) at any given time. So you could be allowed to have 2 node plugins for "page", but only one of them is allowed to determine entity access.

    At that point, we could fallback to the only logical default.

    Now, to hand out permissions we could use the context provided Group and hand out some Drupal permissions from said group. This need not be limited to just entity create access. We could very well hand out a few other Drupal permissions based on which group entity is active.

    That would change our access policy to take a cache context which returns the active group's permission hash of only those permissions that have a Drupal counterpart. This could lead to only a handful of hashes being possible and not jeopardize the cacheability of the access policies.

    So now we need a system where we can indicate which group permissions can affect your Drupal permissions...

  • Comment 3 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium
  • Comment 3 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

    Some more thoughts.

    Group selector

    We introduce a Group permission called "set group as active". We adjust the Group query alter to support a new operation "set as active", which checks for said operation. This way we can build a list of groups you're allowed to set as active. Then we can build a selector (dropdown?) where you choose which group you want active or if you want no group active.

    The selector can support a context provider as backup. If a provider is set up, the selector gets an extra option "Automatically selected Group". The selector also always has the option to say "No group is active".

    The selector + fallback behavior will replace the context selector from Group Sites and GS will use the one that ships with Group 4.0.0.

    Drupal permissions from Group

    Every Group permission can specify a Drupal permission it will hand out. The UI will show this in the description saying:
    "If the user has this permission in the active Group they will also receive the "foo" Drupal permission"

    Then we build an access policy handing out these permissions as describe in #5

    The above two items seem like a great place to start building this feature.

  • Comment 2 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium
  • Comment about 2 months ago
    🇩🇪Germany geek-merlin Freiburg, Germany

    Kristiaan, my first impression: i like it a lot where this is going!

    Thought a bit about this, and yes, the "domain group preset" case and similar ones are handled nicely.

    There are sites though, where the group must come from the URL, but this can be handled by sth like /node/add/foo?group=123

    Then there are the use cases where group must be selected on the /node/add/foo page itself.

    Which rang a bell:
    Why not suck in a stripped down version of Entity group field ,
    and let widgets (like fromDomain, fromQueryString etc) do the work?

    (Without that la last use case, which we had quite often, might turn out a PITA.)

  • Comment about 2 months ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

    Because entity group field is limited to the assignment of a group. I want this system to be able to hand out core permissions based on which group is active. Being able to add a new node is merely one of said permissions. One that we will have to accommodate the UI for, though.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024