Contrib.social

Add a report page listing the Access Policy services in the site and what permissions they affect

Open on Drupal.org β†’
Created on 12 July 2025, about 2 months ago

Problem/Motivation

The Access Policy API makes customized fine grained access easy to implement on any site. Modules can write policy services that grant or revoke permissions to any or all users, depending on context, such as time of day or what page they're on.

As someone who needs to audit the policies, it would be useful to have a list of the Policy services on a single page under Admin > Reports, similar to the field list report.

Proposed resolution

Add a couple functions to the AccessPolicyInterface that requires the policy to return a list of the affected permissions and a short description of what it is trying to accomplish. Add a page that collects the affected permissions and descriptions from each of the AccessPolicy services.

Remaining tasks

  • Add public function getAffectedPermissions(): array to AccessPolicyInterface
  • Add public function getPolicyDescription(): string to AccessPolicyInterface.
  • Create a Reports > Access Policies page to list the policies in the site.

The initial implementation can log a warning that no permissions list or description is available for the policy. In Drupal 12, the two functions should be required.

Alternate implementation: use annotations for the permissions list and description.

User interface changes

Addition of an Access Policy report page.

Introduced terminology

"Access Policy API." (seriously, no one knows what this is.)

API changes

  • + AccessPolicyInterface::getPermisisonList(): array
  • + AccessPolicyInterface::getPolicyDescription(): string
✨ Feature request
Status

Active

Version

11.2 πŸ”₯

Component

other

Created by

πŸ‡ΊπŸ‡ΈUnited States John Franklin

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @John Franklin
  • Comment about 2 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    Changes are made on 11.x, the main development branch first. Thanks.

  • Comment 14 days ago β†’
    πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

    Add a couple functions to the AccessPolicyInterface that requires the policy to return a list of the affected permissions

    That might give false info as another policy could easily override that.

    A description could be nice. So maybe start with an overview of currently active policies that show a name and description and then instruct the more technical people where to look if they want to see the code?

    Either way, I'm a fan of an overview. I just don't want to overload access policies with methods for the sake of the overview; getLabel() and getDescription() could be nice, getAffectedPermissions() not so much.

    You could use attributes, but those get discovered regardless of whether the policy is actually in use. E.g.: If module A has an access policy that module B swaps out, then there's no point in showing module A's version in the UI. With attributes, you would do just that, whereas with methods you would only load the active policies. (Swapping out or decorating access policies is an edge case and generally not recommended, but it's nice to keep the option open)

    Moshe suggested you try putting this in https://www.drupal.org/project/security_review β†’ . You could start by listing the class names in your UI, see how that looks and then circle back here to request two new methods for more descriptive info

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024