Updated: Comment #0

Problem/Motivation

#2048171: [meta] Replace user_access() calls with $account->hasPermission() wherever possible. is moving calls from user_access to instead access the _account from the request.
But I think this is crummy DX

-  if (!user_access('access tour')) {
+  $account = Drupal::request()->attributes->get('_account');
+  if (!$account->hasPermission('access tour')) {

As to is this:

-  global $user;
+  $user = Drupal::request()->attributes->get('_account');

Proposed resolution

Add Drupal::userAccess and let procedural code use that instead. Plugins and other Object oriented code should inject the request and just access it directly, but I think procedural code needs a convenience wrapper.
Similarly add Drupal::currentAccount() to replace global $user

Remaining tasks

Review it.
Decide on action.

User interface changes

None.

API changes

New convenience methods on \Drupal

#2048171: [meta] Replace user_access() calls with $account->hasPermission() wherever possible.
#2062031: Replace user_access() calls with $account->hasPermission() in tour module
#2047951: [META] Remove calls to deprecated global $user and $GLOBALS['user']
#1945024: Remove subrequests from central controllers and use the controller resolver directly.
#2062151: Create a current user service to ensure that current account is always available

CommentFileSizeAuthor
#9 user-access-dx.7.interdiff.txt797 byteslarowlan
#9 user-access-dx.7.patch1.92 KBlarowlan
#3 user-access-dx.3.interdiff.txt732 byteslarowlan
#3 user-access-dx.3.patch1.92 KBlarowlan
user-access-dx.patch1.44 KBlarowlan

Comments

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Active » Needs review
damien tournoud’s picture

damien tournoud commented

Given that we also have many stupid patches like this in the queue:

-  global $user;
+  $user = Drupal::request()->attributes->get('_account');

.... I suggest we just do a Drupal::currentAccount() (or Drupal::account()).

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
StatusFileSize
new user-access-dx.3.patch1.92 KB
new user-access-dx.3.interdiff.txt732 bytes

Like so?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Added #2047951: [META] Remove calls to deprecated global $user and $GLOBALS['user'] to summary

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue summary: View changes

Updated issue summary.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Updated issue summary to include #2 and #3

Crell’s picture

Crell commented 
@@ -391,4 +391,38 @@ public static function languageManager() {
+    return FALSE;

Null. Not false: http://www.garfieldtech.com/blog/empty-return-values

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

@Crell for ::currentAccount() only right?

Crell’s picture

Crell commented

Correct. Sorry, I didn't realize the dreditor snippet would be that useless. :-)

A method should return "an object or NULL if there isn't one" or "TRUE or FALSE and nothing else". But the absence of a valid object is not untrue, it's the absence of a value. Absence of a value is NULL, not untrue.

Any time you use the value FALSE, mentally translate it to "untrue". If it doesn't make sense, then you shouldn't be using it. :-)

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
StatusFileSize
new user-access-dx.7.patch1.92 KB
new user-access-dx.7.interdiff.txt797 bytes

Here tis

Crell’s picture

Crell commented
Status: Needs review » Reviewed & tested by the community

I do hope we're not shooting ourselves in the foot with all of these "make procedural code pretty" patches...

catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Needs work

I'm starting to question why we have _account as a custom property on the request attributes and this being the only way to get at it. What about having a service which does this? Then we wouldn't need that actual logic in \Drupal. This is related to #2040065: Remove _account from request and use the current user service instead. just feels like we're piling hacks on at the moment.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Is that this:
#1858196: [meta] Leverage Symfony Session components

But yeah, questioning the why as well as the how is a good idea.

catch’s picture

catch
he/him
Primary language English
commented

It might well be that. In which case we either need to postpone all these issues on that one, or find an API (regardless of injected code or not) that's going to be forwards compatible with that patch so we're not doing ->get('_account') much less ->set('_account') all over the place.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

k, will postpone the two meta's

msonnabaum’s picture

msonnabaum commented

I think this patch is showing that we dont need userAccess, we need a CurrentUser service:


\Drupal::currentUser()->hasPermission($permission);
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Added #2062151: Create a current user service to ensure that current account is always available and #1945024: Remove subrequests from central controllers and use the controller resolver directly. to related issues in summary.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue summary: View changes

Updated issue summary.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Needs work » Postponed

Postponed on #2062151: Create a current user service to ensure that current account is always available

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Postponed » Closed (duplicate)

Fixed in #2062151: Create a current user service to ensure that current account is always available

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue summary: View changes

Updated issue summary