Content authors cannot see components

Issue created by @mglaman
Comment about 1 month ago →
🇺🇸United States mglaman WI, USA
Comment about 1 month ago →
🇺🇸United States mglaman WI, USA
Comment about 1 month ago →
🇺🇸United States mglaman WI, USA
Comment about 1 month ago →
🇺🇸United States mglaman WI, USA
Comment about 1 month ago →
🇫🇮Finland lauriii Finland
Do we need a generic "Use Experience Builder" permission which we'd use for the XB route and would move the components behind it? Otherwise it is pretty complicated to figure out when users should have access to the components.
Comment about 1 month ago →
🇪🇸Spain isholgueras
In the ticket 📌 Provide granular permissions for pages Active there were these 3 permissions (create, edit and delete).

As I didn't have any option for overview or a general "administer", I could only use "edit xb_page" as the permission to use whenever a editor wants to edit it.

Maybe I was mistaken or maybe it's not clear.
Comment 25 days ago →
🇫🇮Finland lauriii Finland
Comment 20 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
✅ Config entity access control handler

The Component config entity type uses \Drupal\experience_builder\EntityHandlers\ContentCreatorVisibleXbConfigEntityAccessControlHandler, which has:

// We always allow viewing these entities. 'view' => AccessResult::allowed(),
(since 📌 Add access control for "code components" and "asset libraries", special case: instantiated code components must be accessible to *all* Active )

✅ Route definition's requirements

The culprit is

experience_builder.api.config.list: path: '/xb/api/config/{xb_config_entity_type_id}' … requirements: _permission: 'administer themes'
Choices

Either:

Remove the route requirements altogether and rely on its individually checking access:

// As config entities do not use sql-storage, we need explicit access check // per https://www.drupal.org/node/3201242. $config_entities = array_filter($config_entities, fn(XbHttpApiEligibleConfigEntityInterface $config_entity) => $config_entity->access('view'));

Or defining a collection_permission, which is why the Block config entity for example has

collection_permission: 'access block library',
I don't think we want any net new permissions though. 😅

🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺

IMHO the simplest approach is this:

diff --git a/experience_builder.routing.yml b/experience_builder.routing.yml
index fde9ce0a3..cb10b697d 100644
--- a/experience_builder.routing.yml
+++ b/experience_builder.routing.yml
@@ -130,7 +130,6 @@ experience_builder.api.config.list:
   defaults:
     _controller: 'Drupal\experience_builder\Controller\ApiConfigControllers::list'
   requirements:
-    _permission: 'administer themes'
     # Any internal HTTP API-eligible XB config entity type.
     _xb_http_eligible_config_entity: 'TRUE'
     # But deter users from trying to access other config entities via this route: this ensures 404 responses rather than

Because

    # The UI client can fetch all the components the current user has access too, regardless of which kind of XB-enabled
    # entity you're editing.
    _user_is_logged_in: 'TRUE'

already ensures no anonymous users can access it. That was added by 📌 Add access control for "code components" and "asset libraries", special case: instantiated code components must be accessible to *all* Active and it seems a simple oversight that that the _permission part was not removed?

Comment 15 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺

Content authors cannot see components

Overview

Proposed resolution

User interface changes

Comments & Activities

✅ Config entity access control handler

✅ Route definition's requirements

Choices