Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If paragraph library items are published, then the canonical entity view pages are available to anonymous users.
e.g. /admin/content/paragraphs/5
Ideally there would be a separate permission controlling access to this route.
Comment | File | Size | Author |
---|---|---|---|
#6 | paragraphs-library-permission-3099016-6.patch | 1.04 KB | dxvargas |
#4 | paragraphs-library-permission-3099016-4.patch | 1.67 KB | joao.ramos.costa |
#2 | paragraphs-library-permission-3099016-2.patch | 1.58 KB | malcomio |
Comments
Comment #2
malcomio CreditAttribution: malcomio at Capgemini commentedThis patch adds a "view paragraph library item" permission
Comment #3
BerdirI'd even say it's a bug that they're available. But lets also support the existing permissions, I'd say administer paragraphs library and also the edit permission show allow access. Per \Drupal\user\Access\PermissionAccessCheck, multiple permissions combined with "+" is an OR.
Comment #4
joao.ramos.costa CreditAttribution: joao.ramos.costa commentedFollowing #3 I leave this small contribution, I hope it will be useful.
Comment #5
idebr CreditAttribution: idebr at iO commentedThe `view [entity type]` permission pattern typically applies to all `view` operations in the entity access control handler. To prevent confusion I suggest we do not introduce a new permission but reuse the `edit` access check for the canonical route.
Comment #6
dxvargas CreditAttribution: dxvargas commentedI agree with @idebr that using the `view` permission only for the canonical view is confusing.
I also agree, using the `edit` permission is a good suggestion.
Doing like this, we'll turn the canonical view available for editors only. I consider this an adequate solution.
Paragraph library items are meant to be used within other content and not in solo mode. If this is a requirement, a custom permission can be easily set up.
I'm submitting a new patch with this approach.
Comment #7
herved CreditAttribution: herved commentedI tend to agree with #5 and #6.
Patch #6 works as expected.
Tests are passing on D8.
Tests failures for D9 are also in 8.x-1.x and related to #3229472: Fix D9 test fails.
Moving this to needs review.
Comment #8
herved CreditAttribution: herved commentedComment #9
BerdirThanks, committed. While we don't have explicit tests on not being able to access it, we have implicit tests that it still works for the existing permissions as earlier patches with a new permission failed.
Comment #12
BerdirThe hardcoded permissions caused a problem for us in one project and I should have realized that sooner. Pretty sure that's what #5 actually meant. follow-up that changes the approach here: #3307481: Change library item canonical access to use the update entity access operation instead of hardcoded permissions, please test and confirm that this still works for you if you rely on this.