Problem/Motivation
Please refer the problem/motivation section of #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
Proposed resolution
Write EntityResourceTestBase subclass for the BaseFieldOverride entity.
Add an access control handler to provide the same access control as FieldConfig entities. Unlike them base field overrides do not need to deal with locked field storage entities because field storage is provided by the base fields and they are always there and base field overrides should be deletable.
Remaining tasks
References
1. Follow-up of #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
2. Subtask of #2824572: Write EntityResourceTestBase subclasses for every other entity type.
Comment | File | Size | Author |
---|---|---|---|
#12 | interdiff-2843767-3-12.txt | 781 bytes | shadcn |
#12 | entityresource_provide-2843767-12.patch | 10.77 KB | shadcn |
#3 | entityresource_provide-2843767-3.patch | 10.69 KB | shadcn |
Comments
Comment #3
shadcn CreditAttribution: shadcn at Chapter Three commentedThis patch also adds an access handler
\Drupal\Core\Field\BaseFieldOverrideAccessControlHandler
to\Drupal\Core\Field\Entity\BaseFieldOverride
. Let's see what fails.Comment #5
Wim LeersComment #6
tstoecklerThis is problematic because it doesn't call the parent implementation so it misses e.g. the
part. I think it should do
$parent_access->orIf(...)
or something like that.Comment #7
Wim LeersFirst: thanks for your review — I'm very very very glad an Entity API maintainer is reviewing this :)
I was wondering what you meant by "parent". I'm assuming you're referring to the
FieldConfig
config entity type now. Because:But …
class FieldConfig extends FieldConfigBase implements FieldConfigInterface {
.IOW:
BaseFieldOverride
is not a child ofFieldConfig
, it's a sibling.Doesn't that mean that we should reuse
\Drupal\field\FieldConfigAccessControlHandler
here?Comment #8
tstoecklerOops, sorry for being so brief. No I actually meant parent as in
I.e. the default implementation in
\Drupal\Core\Entity\EntityAccessControlHandler::checkAccess()
. That for example includes a check that you are never allowed to delete an entity if it is new. That is something that we lose by overriding the method without calling the parent.Comment #9
Wim LeersThanks for clarifying :)
But my question still stands though:
BaseFieldOverride
could reuse\Drupal\field\FieldConfigAccessControlHandler
, and IMHO/AFAICT it should. What do you think?Comment #10
tstoecklerVery interesting idea. I checked and that's actually not possible, though. Because the associated field storage definitions of
BaseFIeldOverride
entities areBaseFieldDefinition
objects and notFieldStorageConfig
's, so they do not haveisLocked()
.Comment #11
Wim LeersAhhh, right :) Thanks for checking!
@arshadcn: So then please change the patch according to @tstoeckler's guidance in #8! :)
@tstoeckler++
Comment #12
shadcn CreditAttribution: shadcn at Chapter Three commented@tstoeckler do you mean something like this?
Comment #13
tstoecklerLooks good to me! I guess in theory I could now complain about a missing kernel test for the added base field access control handler, but since it's literally two lines of code and the whole point of this is really extensive Rest test coverage, I hope we can sneak this by the committers without it. On the other hand @arshadcn if you would like to gain some extra credit ;-), feel free to write a kernel test for the new access handler.
Comment #15
himanshu-dixit CreditAttribution: himanshu-dixit as a volunteer and at Google Summer of Code commentedIt looks like it was a random failure. Returning RTBC status
Comment #16
Wim Leers#13: I'd strongly -1 a
KernelTestBase
test. We'd want a unit test for this.And given that 99% of entity access control handlers don't have explicit test coverage, and the test coverage added here is pretty explicit, I think this is still a net step forward :)
Comment #18
Wim LeersComment #20
Wim LeersWithout a doubt this is a Drupal CI infra fail:
Comment #21
alexpottCommitted 5dbe710 and pushed to 8.4.x. Thanks!
Given the new access control handler I think we need to discuss this before backporting to 8.3.x
Unused uses fixed on commit.
Comment #22
alexpottDiscussed with @xjm. We agreed that there is an issue with issue scope here. We need a better issue title and issue summary because this is introducing non test changes and fixing missing things. Like the lack of a access control handler for basfieldoverride - is that a bug, security hole (I don;'t think so because I don't think that by enabling rest on basfieldoverride entities you can create them in HEAD) or a task because we adding missing stuff?
Comment #23
Wim LeersThis.
It'a a task, because many (most) config entity types do not specify an access control handler, nor an
admin_permission
.See #2870018-6: Should the 'access content' permission be used to control access to viewing configuration entities via REST for more detail.
This is blocked on #2870018: Should the 'access content' permission be used to control access to viewing configuration entities via REST reaching consensus.
Comment #24
Wim LeersConsensus was achieved! Quoting #2870018-35: Should the 'access content' permission be used to control access to viewing configuration entities via REST:
However, for this particular case (
\Drupal\Core\Field\Entity\BaseFieldOverride
), anadmin_permission
does not make sense, just like it does not make sense for\Drupal\field\Entity\FieldStorageConfig
(a semantical sibling). So what we do instead, is duplicate the exact same approach as\Drupal\field\FieldStorageConfigAccessControlHandler
:This should be considered the equivalent of
admin_permission
for this config entity type. Therefore the latest patch already is actually implementing the consensus from #2870018: Should the 'access content' permission be used to control access to viewing configuration entities via REST.Comment #25
alexpottChanging to a bug because this is a fixing an access control bug in base field overrides.
Comment #26
alexpottCommitted and pushed 2623bb6 to 8.4.x and 6695bf0 to 8.3.x. Thanks!
Remove unused uses.
Comment #29
Wim LeersYay, thanks! Updated #2824572: Write EntityResourceTestBase subclasses for every other entity type..