Problem/Motivation
Please refer the problem/motivation section of #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
Proposed resolution
Write EntityResourceTestBase subclass for the Tour entity.
Remaining tasks
References
1. Follow-up of #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
2. Subtask of #2824572: Write EntityResourceTestBase subclasses for every other entity type.
Comment | File | Size | Author |
---|---|---|---|
#28 | 2843768-28.patch | 9.96 KB | Wim Leers |
#21 | administer-tours.png | 39.44 KB | yoroy |
#12 | interdiff-2843768-9-12.txt | 627 bytes | himanshu-dixit |
#12 | 2843768-12.patch | 10.19 KB | himanshu-dixit |
#9 | interdiff-2843768-7-9.txt | 679 bytes | shadcn |
Comments
Comment #2
sumanthkumarc CreditAttribution: sumanthkumarc at Azri Solutions commentedComment #4
sumanthkumarc CreditAttribution: sumanthkumarc at Azri Solutions commentedComment #5
shadcn CreditAttribution: shadcn at Chapter Three commentedThis patch adds an access handler to Tour entity. Let's see what fails.
Comment #6
Wim LeersLet's drop these comments for consistency with the other test coverage.
This is wrong, an dangerous!
This grants access to all operations on tours based just on
'access tour'
.What we want instead is to add a
admin_permission
to theTour
entity annotation, and then make this call theparent
method except for theview
operation. For theview
operation, we want the logic you've written here.Comment #7
shadcn CreditAttribution: shadcn at Chapter Three commentedWill something like this work? (see patch).
If we add an
admin_permission
to the Tour entity, do we need a newadminister tours
permission as well?Thanks for the review Wim. Learning a lot while working on these tests.
Comment #8
Wim LeersGreat :) That's what I was hoping!
That's a great question. I didn't know the answer myself, so I looked it up:
FilterFormat
has anadmin_permission
… so let's see if that permission is also listed infilter.permissions.yml
… it is! So, the answer is :)Comment #9
shadcn CreditAttribution: shadcn at Chapter Three commentedOK. Ready for the bots.
Comment #11
Wim Leers:)
===
Once point 2 is addressed, this is RTBC.
Comment #12
himanshu-dixit CreditAttribution: himanshu-dixit as a volunteer and at Google Summer of Code commentedHere is the new patch.
Comment #13
Wim LeersComment #15
Wim LeersRandom fail in
Drupal\Tests\inline_form_errors\FunctionalJavascript\FormErrorHandlerCKEditorTest
.Comment #16
alexpottCommitted 431461b and pushed to 8.4.x. Thanks!
Committed to 8.4.x - going to discuss with other committers before backporting to 8.3.x. The new permission and access control handler require a bit more discussion.
Comment #17
alexpottDiscussed with @xjm. We agreed that there is an issue with issue scope here. We need a better issue title and issue summary because this is introducing non test changes and fixing missing things. Like the lack of the admin permission - is that a bug, security hole (I don;'t think so because I don't think that by enabling rest on tour entities you can create them in HEAD) or a task because we adding missing stuff?
Comment #18
Wim Leers#17 is identical to #2843767-22: EntityResource: Provide comprehensive test coverage for BaseFieldOverride entity + add missing access control handler, so repeating my answer from there:
Comment #19
Wim LeersConsensus was achieved! Quoting #2870018-35: Should the 'access content' permission be used to control access to viewing configuration entities via REST:
Turns out the patch in #12 that was committed to 8.4.x already changed it in the necessary way! :D
I think this should not be backported to 8.3.x, because it'd introduce A) a new permission, B) would introduce an access control handler. Disruption is likely close to zero, but then again very few people are likely to want to access tours via REST. So no need to do even remotely risky things in 8.3.x. They can wait for 8.4.x. If they really want this faster, they can apply this patch themselves to 8.3.x. and then stop using it once they update to 8.4.x.
So marking
.Comment #20
Wim LeersActually, no, there's a tiny difference between what the patch in #12 does compared to what the consensus agreed on.
Also, the commit was never actually pushed — HAH!
Comment #21
yoroy CreditAttribution: yoroy commentedhandle*s* ? :)
This is a UI addition, lets make sure to add screenshots each time a permission is added in this multi-issue effort. It's a bit weird to expose a persmission for something that does not also provide a UI for it. I had a look at the permissions page and didn't find another example of this. Together with the "give to trusted users only" warning this is scary: enabling a permission to do something without a UI for it, what kind of unkonwn door does this open then?
Put another way: when would I want/need to enable this permission? Since there's no UI for it, should we maybe explain that a bit in the permission description?
Comment #22
Wim Leers#21:
administer site configuration
permission instead?Comment #23
Wim LeersNeeds yoroy's feedback.
Comment #24
yoroy CreditAttribution: yoroy commentedI can't say because it's not clear to me why the permission is needed in the first place.
Comment #25
Wim LeersI think going with
administer site configuration
makes sense — we did the same forDateFormat
andRdfMapping
. We did that in #2843771: EntityResource: Add an admin permission to RdfMapping entity and provide comprehensive test coverage, which landed a week after #21–#24.Comment #26
tedbowThe 'administer tour' is not longer in tour.permissions.yml file. Why doesn't this fail?
The 'administer tour' is not longer in tour.permissions.yml file. It was removed in this patch.
Comment #27
Wim Leers:O
Comment #28
Wim LeersOh wait, this is normal.
Permission checking never validates that the passed in permissions actually exist. Yes, it is stupid. Yes, it is infuriating. Yes, it is a bad DX. Yes, this is why I insisted we have validation for cache tags & contexts, to prevent exactly that problem — see
\Drupal\Core\Cache\Cache::mergeContexts()
.However, fixing that for permissions is vastly out of scope here.
The cause is much more innocent here: the expected error message is correct, because I forgot to update the access control handler. And since permissions are not validated, it just runs/works.
Comment #29
tedbowOk 2 points in #26 are fixed
RTBC!
Comment #31
catchCommitted/pushed to 8.4.x, thanks!
'administer site configuration' seems like the right choice here.
Comment #32
Wim LeersThanks!