Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Note: This issue expands on [#1539928]
Panels IPE is controlled by a few permissions:
1. Use the Panels In-Place Editor
2. Change layouts with the Panels In-Place Editor
The first one grants access to the entire IPE functionality, the second one controls access of a sub functionality: changing layout. It's perfectly possible to give access to IPE while disallowing layout changes.
Apart from that, there are lots of other CTools and panel related permissions such as the use of page manager, the panels dashboard, and so on. I don't think these are relevant to the discussion of controlling access to IPE because they don't affect IPE as such. A role can't have access to panels from the backend but still be able to use the IPE to change the content from the frontend theme. Merlin has already stated several times this is intended behavior: I agree.
The same goes for everything which plugs into the system via CTools: node access, custom panes, panelizer, etc. On the surface, node access and IPE access are 2 related things, but on a system level, they are two completely separate things.
However.
If you look at the implementation of IPE permissions themselves, they don't cover more intricate use cases where panels are used in more complicated contexts. Panels used within Organic Groups & Domain context are the first to come to mind, but basically anything could go (Heck, I should even be able to add time based access to IPE if I want to without hacking the entire thing).
(Disclosure: I'm currently blocked by IPE not playing nice with Domain: the same page is reused over different domains, but access to it's content via IPE should be restricted to only 1 domain)
The problem:
The IPE panels_renderer_pipeline (Exported definition in panels_ipe_pipelines.inc) uses the CTools perm plugin which basically doesn't do much then a user_access check against the 'use panels in place editing' permission.
Possible solutions
Since the IPE pipeline is a CTools plugin itself, I was wondering if there is some way to alter the plugin or the $pipeline object and switch the perm access plugin with a custom perm access plugin.
At this time, I can't find a hook where I could plugin in to do this. So, I'm considering creating my own pipeline renderer plugin implementing an adapted, custom access plugin while extending the panels_renderer_ipe class. (Is this even do-able at all?)
Easiest would be if we could alter the object in hook_default_panels_renderer_pipeline() and run ctools_export_crud_load_all('panels_renderer_pipeline') with the $reset flag I think.
Patching the IPE module would compromise the nice loose-coupling between the different systems, so I would't go there at all.
Any advice?
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | ipe_role.tar_.gz | 2.51 KB | netsensei |
Comments
Comment #1
netsensei CreditAttribution: netsensei commentedComment #2
netsensei CreditAttribution: netsensei commentedOkay.
Looks like I cracked this. Instead of extending classes or altering code, I just had to create a new pipeline plugin which reuses the existing ipe renderer in my own custom module. The new plugin definition gives me the liberty to switch between access plugins and even plug my own custom access plugin.
This is what I did in a custom module:
- Created/registered a custom access plugin
- Registered a new panels pipeline renderer plugin
- Implemented ipe_role_default_panels_renderer_pipeline()
- Reused the ipe renderer implemented in panels_ipe (don't write my own class, don't have to!)
- Changed dependent access plugins in the definition with my custom implementation
- Profit!!
Example code attached.
Comment #3
netsensei CreditAttribution: netsensei commentedComment #4
DamienMcKennaComment #5
PI_Ron CreditAttribution: PI_Ron commentedIs there anything happening here in regards to permissions for content panes?
Comment #6
netsensei CreditAttribution: netsensei commentedNo. This is about permissions on the renderer level. IPE is the first one that comes to mind. Permissions for content panes on a per instance level (page, variant, region) is not covered here.
The problem here is that the permission component of a renderer is not really pluggable. I think we should postpone this to the 8.x version and leverage the D8 plugins API.
Comment #7
PI_Ron CreditAttribution: PI_Ron commentedAre there any other options for content panes permissions?
Comment #8
PI_Ron CreditAttribution: PI_Ron commented@netsensei I not have been clear in my first comment, but I was actually referring to the IPE, and pane permissions for it. For example being able to set whether a particular pane can be added/edited/deleted using the IPE, per role.
I have found this issue, which allows turning off the IPE buttons per role globally (for all panes), however there is still no solution for individual panes.
https://www.drupal.org/node/1699432#comment-9502413
Comment #9
candelas CreditAttribution: candelas commentedI would be very interested in this feature. @netsensei I will to try your custom module tomorrow and report how it goes. Thanks