Remove administer all releases permission

Open on Drupal.org →

Created on 13 March 2025, 23 days ago

When doing auditing around the administer all releases permission, I’ve realized it is basically dead code.

It attempts to allow deleting releases in some cases, which we never want. project_release_node_access() prevents this from actually happening.
It gives the security team update access, but they already have bypass node access.
The implementation in drupalorg_node_access() checks for project maintainership, but project_release_node_access() already does this.
The permission is checked in drupalorg_project_form_node_form_alter() for sa nodes, that permission check can be replaced with update security release types which has become the standard “is security team member” check

📌 Task

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States drumm NY, US

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @drumm
Comment 23 days ago →
System Message

drumm → committed 498cd961 on 7.x-3.x
Issue #3512840: Remove administer all releases permission

Comment 22 days ago →

drumm → committed fecef61d on 7.x-3.x

Issue #3512840: Export for removed administer all releases permission

Comment 22 days ago →
🇺🇸United States drumm NY, US
This is deployed on D7 and needs porting for modern Drupal
Comment 22 days ago →
System Message

fjgarlin → committed 3eb74a72 on 1.0.x
Issue #3512840: Remove administer all releases permission.
Comment 22 days ago →
🇪🇸Spain fjgarlin
Ported to modern Drupal. The permission is also not used anywhere else in the role's permissions.
Comment 8 days ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024