Do not set permission for authenticated users on install

It only auto-adds permissions on install for roles that already have one of the following permissions:

if (
      $role->hasPermission('view own unpublished content') ||
      $role->hasPermission('access content overview') || 
      $role->hasPermission('access in place editing')) {
                $role->grantPermission('view editoria11y checker');
                $role->grantPermission('mark as hidden in editoria11y');
     

This is my attempt to detect editors, not just authenticated users, so that the module "just works" for most sites immediately on install. Site admins can then remove the permission if they do not want it on a particular role.

Do you have one of those permissions assigned to non-editors?

Hi @itmaybejj thanks for the quick response!

I think view own unpublished content is the reason, at least in our case and I think that's not strict enough.
We have that enabled by default for all authenticated users, as it's never risky. But I don't think it's a good enough indication for a real author.

So I'd like to suggest removing that one. I'll prepare a MR.

Thanks and of course it's up to your decision.

I am afraid you are going to have to convince me it is a good idea to give a non-author role an elevated permission to view unpublished content they have authored. If they cannot author content, then there are no nodes for this permission to give them access to, which is why it is not enabled by default for non-editor roles.

So as far as I can tell the only non-authors this permission would make sense to give to would be people who were previously authors and had their author role removed, but you still wanted them to be able to view (but not edit or publish!) something they created but did not publish before they did whatever they did to lose access to the ability to create new content or publish that content. That seems...awfully unlikely, and far from least privilege best practices. Unless there are different use cases in play here I'm not thinking of -- e.g. some form of form-based content creation that non-authors can use where they need this permission?

...so that's why I have been using this permission so far as a proxy for "can edit stuff." It seems to be the only universal "can edit stuff" permission on the default list. The others aren't always enabled on all sites (can use toolbar, can use admin theme) or depend on particular content types being present...

...but note that it just adds the permission on first install. You can drop it on your sites if you want to keep your roles configuration as-is.

@itmaybejj thanks for your feedback. I agree, that might be improved on our end instead. At least there's no better argument than yours.
So I'll close this won't fix!

Thank you! This is a really really useful project! :)

OK fair enough.

For what it's worth I asked the other maintainers to weigh in, and was reminded that they don't like that I automatically set permissions in the first place. Ahh well; it's the endless argument between "turnkey for most sitebuilders" vs "minimum viable install for developers." I'm biased to the former.

Glad you're enjoying it; it's a monster of a project!