Contrib.social

Don't overridde default security warning when providing custom warning on a permission

Open on Drupal.org →
Created on 29 September 2025, 9 days ago

Problem/Motivation

It is possible to use a "warning" key on permissions to provide a custom explanation of why a permission is dangerous.
However this is never used in core and I have never seen it used in contrib module.
One of the reasons is that it is poorly documented, but also the PermissionHandlerInterface::getPermissions() docblock does not recommend using this key because it overrides the default warning.

I think it would be better to always keep the default warning (because site admins are used to seeing it and now what it means) but allow adding additional context about why the permission is dangerous.

Steps to reproduce

Add a custom permission:

insert javascript:
  title: 'Insert custom JavaScript into pages'
  restrict access: true
  warning: 'This permissions is dangerous because it allows injecting arbitrary JS'

Proposed resolution

The custom warning could be appended to the default warning.

Backdrop does something similar (see https://github.com/backdrop/backdrop-issues/issues/5536).

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Feature request
Status

Active

Version

11.0 🔥

Component

user system

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

No activities found.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024