Contrib.social

Permissions that are already on the authenrticated role should not be allowed to be added to other roles

Open on Drupal.org →
Created on 19 February 2025, about 2 months ago

Problem/Motivation

When viewing a single role, there is no indication that certain permissions may already be applying to users with that role implicitly, because they are assigned to the authenticated user role. This can be confusing to those less familiar with how Drupal's permission system works.

Core disables permissions that are assigned to the authenticated role and puts a tooltip on those permissions indicating the permission is not selectable because it is already assigned to the authenticated user role.

This mechanism also works with this module but, crucially, only if the authenticated user role is also shown.

Essentially, this is the same as this fairly old issue: #1206946: Filter permissions breaks inherited-permissions js . However, I would humbly try to raise this issue again, as I think it is a UX concern. I've actually "had" to undo a bunch of changes a customer made "because the role did not have all the permissions the authenticated user role has". (Of course "had" to undo maybe stretching it a little; no real harm is done. However, I like to keep things clean.)

Steps to reproduce

  1. Have a site with at least one extra role beyond the standard roles
  2. Assign at least one permission to the authenticated user role
  3. Filter the permissions screen on both the authenticated role and the additional role
  4. Notice that the permission(s) assigned to the authenticated role are disabled as illustrated above
  5. Now, only filter on the additional role
  6. Note that the permission(s) assigned to the authenticated role are no longer disabled and can be assigned to the role without problems

Proposed resolution

Reproduce the look of the disabled checkboxes when the authenticated user is on the screen. I believe the tooltip, together with the default behaviour of showing all permissions, are enough to lead users to understanding why certain permissions are "hard on".

Remaining tasks

  • Agree this is a good idea
  • Write the code
  • Review
  • Merge

User interface changes

* Check boxes for permissions already assigned to the authenticated user are selected and disabled, regardless of whether the anonymous user role is filtered on screen.

API changes

None.

Data model changes

None.

Feature request
Status

Active

Version

2.0

Component

User interface

Created by

🇳🇱Netherlands eelkeblok Netherlands 🇳🇱

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @eelkeblok
  • Comment about 2 months ago
    🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
  • Comment 18 days ago
    ts.ag

    Here's a quick fix that leverages the core JS behavior attached to the authenticated role checkbox by adding an invisible one to the permission name column.

    Note that I used the visibility property instead of the display property to accomodate the JS observer.

    I avoided adding the proper column of checkboxes regardless of filter settings and hiding them when authenticated is not selected, because some themes (like Gin) clone the table header to display a sticky header.

    This approach is compatible with the overriden permissions fix from https://www.drupal.org/project/filter_perms/issues/3484112 🐛 PermissionsForm should not use overridden permissions Active

  • Comment 3 days ago
    🇬🇧United Kingdom scott_euser
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024