Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There are several places now in Drupal core, where you want some kind of logic which has N conditions in a single string
.Someone want to either select items which match to all this N conditions, or just one of them.
Back in the days taxonomy introduced the concept of "+" / ",". So if you specify "1,2,3" you want nodes to have all this terms,
but with "1+2+3" you want nodes to have just one of the terms.
That's used nowadays in #1956896: Add role based access checker and Views contextual filters in general.
Comment | File | Size | Author |
---|---|---|---|
#61 | permissions-1986640-60.patch | 11.3 KB | dawehner |
#61 | interdiff.txt | 2.1 KB | dawehner |
#55 | permissions-1986640-55.patch | 11.85 KB | Wim Leers |
#45 | permissions-1986640-45.patch | 10.62 KB | dawehner |
#43 | interdiff.txt | 6.84 KB | dawehner |
Comments
Comment #1
dawehnerI have no clue about a proper component, but profile is probably wrong ;)
Comment #2
Crell CreditAttribution: Crell commentedAs long as we document it and are consistent, I have no objection to + and , used in that way.
Now that the role checker is using it, it may make sense to do the same to the permission checker.
Comment #3
aspilicious CreditAttribution: aspilicious commentedI agree with everything Crell says :)
Comment #4
effulgentsia CreditAttribution: effulgentsia commentedWell, it's a Drupalism, and aren't we trying to get rid of those? Wouldn't
|
and&
or||
and&&
be a bit more self documenting?Note that for most route requirements (including _format and _method), Symfony evaluates the requirement as a regular expression, so you could see YAML like this:
Where the "|" in a regular expression functions similarly to a logical OR.
However, this issue is related to a route requirement applied to an array ($account->roles) rather than a string, so I don't think regexes are a good fit for expressing that.
Comment #5
effulgentsia CreditAttribution: effulgentsia commentedTo avoid confusion with regex syntax, this patch implements the || and && approach, with single space required on each side.
Comment #6
dawehnerGood idea, though I fear this approach does not work for contextual filters in views.
It would be great to keep this trimming as it just improves DX. Any reason why not to keep it?
Comment #7
effulgentsia CreditAttribution: effulgentsia commentedAh, so we still need a string syntax that's URL friendly for contextual filters. I thought this issue was just about a syntax for YAML files. Hm, need to think about it some more then.
My initial thought on removing trimming is that Symfony doesn't do auto-trimming of other evaluations in _requirements, and I wanted to be consistent with that. No strong preference though.
Comment #8
Crell CreditAttribution: Crell commentedI'd prefer to keep the trimming for the improved DX.
The reason for using + and , is exactly as dawehner said, that's what Views uses, and what Taxonomy has always used. Switching to &&/|| in the YAML file would be more sensible in the YAML, but inconsistent elsewhere. URLs have to stick with + and ,.
We either have a consistent Drupalism or a Drupalism in some places but not others. I don't have a strong opinion either way.
Comment #9
dawehnerYeah let's better be consistent for now.
Comment #11
dawehnerJust removing the failures and some debugging.
Comment #12
Crell CreditAttribution: Crell commentedThis code doesn't support mixing and and or operations. Are we OK with that? (I am, because it's a crazy edge case to mix both here, but that should be a conscious decision.)
Let's keep this @todo.
Comment #13
aspilicious CreditAttribution: aspilicious commentedIf you need such an edge case you ca write your own system and plug it in :)
Comment #14
dawehnerWe can still add that later, if needed, but yeah I don't see many usecases for that.
Comment #15
Crell CreditAttribution: Crell commentedI'm not sure I see the purpose for this change.
We need a comment or docblock explaining that ,-separated means "any of" and +-separated means "all of". In the docblock of this method is probably sufficient.
Comment #16
dawehnerLet's use this way to allow subplugins to be registered (so you can easily provide a access checker like the one for "access all views").
Comment #18
dawehner#16: vdc-1986640-16.patch queued for re-testing.
Comment #19
damiankloip CreditAttribution: damiankloip commentedMaybe 'The requirement key to be used' instead?
Maybe a couple of one liners around here for OR and AND logic.
Is it almost worth having a helper for this? not sure.
Could we just move these into a setUp() method? or does the use of data providers do a setUp/teadDown between each iteration?
Just out of interest, is the an issue to do something with this? user access is going to, and is already, being used in OO code. Not a part of this issue, just to be clear.
Comment #20
dawehnerPutting this into another method would make it potentially harder to read.
Comment #21
Crell CreditAttribution: Crell commentedActually, now that global $user is a UserSession object, and is available via the request, we could probably do this instead:
$request->attributes->get('account')->hasPermission($permission);
... Except, crap, no, because there's only a getRoles() method, not a hasPermission() method. So that has to wait for #1966334: Convert user_access to User::hasPermission(), which adds that method. *sigh*
That's an internal followup, so can happen later. No sense blocking these patches on each other.
Comment #22
alexpottSo the thing is there is nothing to stop us from declaring permissions like so...
We also need to consider the upgrade path here...
Comment #23
Crell CreditAttribution: Crell commentedA change notice that permission names cannot have those characters and (as suggested in meatspace by xjm) just an exception if you try to declare a permission with non-alphanumeric-plus-space characters should suffice here.
Comment #24
Crell CreditAttribution: Crell commentedFor Alex...
Comment #25
dawehnerOne problem I do see with that is that people started to use "." in the permission machine name. (Not sure which patch this was, though).
Comment #26
Crell CreditAttribution: Crell commentedOK, alphanumeric plus period? :-) Is there a reason we can't just blacklist , and + (and maybe others, maybe not) to resolve this issue?
It probably affects roles too at the moment, and we already have conjunction support for those...
Comment #27
dawehnerI am fine with blacklisting "," and "+" though the question is how to enforce that properly. For roles we can add something in the UI, but for permissions we might check them somewhere and throw an error?
Comment #28
Crell CreditAttribution: Crell commentedFor route rebuild, we've taken the approach of "if your route has invalid properties in it, watchdog it and skip that entry".
A similar approach for permission rebuild (which then gets cached anyway) seems reasonable.
Comment #29
dawehnerI am not really sure what a proper place for checking the permissions would be. The current access checker is written in a way that it can't execute runtime code for every route building.
Comment #30
Crell CreditAttribution: Crell commentedWell, I expected that all calls to get permission data went through some common front-end utility that we could modify. It looks like that's not the case, however, as there are module_invoke_all('permission') and $moduleHandler->getImplementations('permission') and $moduleHandler->invokeAll('permission') calls scattered all over the place. :-( That's a separate thing to fix. Drat.
Comment #31
dawehner#29: permission-1986640-29.patch queued for re-testing.
Comment #32
damiankloip CreditAttribution: damiankloip commented@var ...
Also, do we actually need to use a property for this? vs just returning the '_permission' string. I guess currently we kind of mix both ways.
So, we are using this pattern in a few places now (or atleast will be). I'm thinking it would be cool if we could abstract this out but not sure how possible that is right now as we'd need some nice way to invoke 'things'
Same as other comment above, do we need this much from our appliesTo() method? If we keep this, these methods should be testAppliesTo. actually where is the testApplies() test method?!
Comment #33
pingers CreditAttribution: pingers commentedThe OR condition loop can return as soon as TRUE condition is met. I'll concede it's a micro optimization, but if this is going to get broken out and re-used... efficiency is good.
Comment #34
dawehnerThank you for the reviews!
I would love to be able to reuse the code for the views "access all views" checker, which has to be different as you can also configure access via the views UI.
Do you have an idea without over-abstracting all of it?
Changed that.
Comment #36
Crell CreditAttribution: Crell commentedI'm pretty sure this won't apply anymore, but after a year it would be good to get back to. I still think permissions should parallel roles in their syntax.
Comment #37
dawehnerOOOH
Comment #38
tim.plunkettThis isn't needed, right? Otherwise this looks great.
Comment #39
dawehnerGood catch, yeah this was it in the old times. Rerolled against the access context issue.
Comment #40
Crell CreditAttribution: Crell commentedAssuming bot OKs it.
Comment #41
chx CreditAttribution: chx commentedNote we currently use human names for machine names ie.
->hasPermission('access content')
instead of->hasPermission('access_content')
and so it's not entirely impossible to encounter a plus or comma in there; however the chances of there being an actual permission on either side is next to nothing so I believe we can go ahead with this, but we should put such a rename on the radar and discuss whether it's doable in the 8.x at all. Otherwise I would very strongly suggest showing a warning somewhere when working with permissions if there are permissions containing such.Comment #42
chx CreditAttribution: chx commentedWhat has happened here? I am not supposed to be able to delete files made by others.
Comment #43
dawehnerExpanded to put the logic onto the AccessResult.
Maybe someone can point me to a place where multiple hasPermission calls exists in the context of AccessResults.
Comment #44
alexpottCan typehint this with array.
lets !empty($permissions)
Comment #45
dawehnerSure, found another instance.
Comment #46
Wim LeersGlad to see this issue was made simpler by #2287071: Add cacheability metadata to access checks :)
s/a permission/permissions/
s/for//?
This is accidental?
A bit more documentation would be welcome here I think?
This also needs a change record.
Also, s/
$split
/$permissions
/?Please also add
@group Access
.Each case is repeated 3 times. Put it in variables, reuse those? Much more legible.
Comment #47
dawehnerhttps://www.drupal.org/node/2341759
Thank you for your review
Comment #48
Wim LeersI've corrected the change record (it said
_permissions
rather than_permission
).Fixed two nitpicks.
I'd love to see at least one
*.routing.yml
file in Drupal core use this. Don't we have a single use case for this? I think we might've solved it using an access check, which makes it a bit difficult to find?Comment #49
Crell CreditAttribution: Crell commentedDrupal\views\ViewsAccessCheck maybe?
SwitchShortcutSet has a custom access callback that just calls out to a function. We can probably refactor that to eliminate the function anyway. The function has several permission checks but may be more complex than this can handle. Worth checking.
Those are the only promising examples I could find off hand.
Comment #50
Wim LeersI don't think neither is viable. I also searched and couldn't find any. I guess this will have to do then.
Back to RTBC.
Comment #51
dawehnerI am convinced that you don't understand the problem space, but yeah let's please discuss this in the other issue.
Comment #52
alexpottNeeds a reroll for the changes in AccessResult due to #2340507: Make the new AccessResult API and implementation even better
Comment #53
alexpottHmmm wrong status :)
Comment #54
Wim LeersHeh :)
Rerolled!
Comment #55
Wim Leers#54 lost the new unit test hunk. #54 interdiff applies to this patch.
Comment #56
Wim LeersBack to RTBC per #50 — this is only a reroll to chase HEAD.
Comment #57
xjmPer @dawehener, this issue blocks a proper solution in #2157541: Views sets access to ANY on routes - could result in information disclosure, so bumping to critical.
Comment #58
olli CreditAttribution: olli commentedShouldn't this be + for OR and , for AND? Filed #2346105: Use 1+2+3 for OR, 1,2,3 for AND.
AccessF..?
Comment #59
alexpottNeeds work for #58 - I've committed #2346105: Use 1+2+3 for OR, 1,2,3 for AND
So
Needs fixing.
Comment #60
dawehnerLet's fix it.
Comment #61
dawehnerLet's fix it.
Comment #62
Crell CreditAttribution: Crell commentedUnless bot objects.
Comment #63
alexpottBrought issue summary inline with #2346105: Use 1+2+3 for OR, 1,2,3 for AND
Comment #64
webchickCommitted and pushed to 8.x. Thanks!
Comment #67
quietone CreditAttribution: quietone at PreviousNext commentedPublished the CR