Looking at user_admin_permissions() it is revealed that hook_permission() supports a warning key for a description of why the user should be careful with the permission. This key is not documented in the hook_permission() documentation.

CommentFileSizeAuthor
#12 1037352-followup-12.patch1.39 KBDavid_Rothstein
#9 1037352-followup-9.patch1.73 KBDavid_Rothstein
#4 1037352.patch836 bytesjhodgdon
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Active » Closed (works as designed)

Not really:

       $perm_item += array(
          'description' => '', 
          'restrict access' => FALSE, 
          'warning' => !empty($perm_item['restrict access']) ? t('Warning: Give to trusted roles only; this permission has security implications.') : '',
        );

The code is generating a warning from the 'restrict access' field from hook_permission(), which is correctly documented in hook_permission() docs.

JimmyAx’s picture

JimmyAx CreditAttribution: JimmyAx commented
Status: Closed (works as designed) » Active

I'm not sure you understand the issue here. This isn't about the automatic generation of the warning, but rather that you are allowed to set your own warning in hook_permission(), therefore replacing the default warning. This custom warning is then passed to the permission admin interface. This isn't documented at all, not even a single word indicating that you could do so, yet it's fully supported in the API.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Title: Documentation problem with hook_permission » hook_permission is missing doc about 'warning'

Ah, OK. Yes that should be documented in hook_permission.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Active » Needs review
FileSize
1037352.patch836 bytes

Here's a patch.

kim-day’s picture

kim-day CreditAttribution: kim-day commented
Status: Needs review » Reviewed & tested by the community

the patch works correctly - looks good

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Version: 7.x-dev » 8.x-dev

Needs to go to d8 and then d7

Dries’s picture

Dries CreditAttribution: Dries commented
Version: 8.x-dev » 7.x-dev

Committed to 8.x. Thanks.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Committed to 7.x. Thanks!

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 7.x-dev » 8.x-dev
Status: Fixed » Needs review
FileSize
1037352-followup-9.patch1.73 KB

I guess it was a mistake not to document this parameter at all... but I think we really really want to discourage people from using it.

The idea is that this is supposed to be a clear, standard warning that is constant across all permissions, not a place for people to dump things that actually belong in the permission description. I can think of very few (if any) situations where it would be a good idea to set this.

Here's one approach to deal with this via the documentation (attached).

I think it might actually be preferable to just take away the ability to set this altogether (you can still change the text globally for all permissions via the theme system, e.g. using a preprocess function, which is a legitimate thing to do). But since this is an issue in the documentation queue, I'm starting with a documentation patch :)

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs review » Reviewed & tested by the community

I'm on board with this idea, and the patch wording seems fine to me.
Should go into 8.x and 7.x.

Dries’s picture

Dries CreditAttribution: Dries commented
Version: 8.x-dev » 7.x-dev
Status: Reviewed & tested by the community » Needs work

Committed to 8.x. Moving to D7. Probably needs work as both patches will have to be merged.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 7.x-dev » 8.x-dev
Status: Needs work » Reviewed & tested by the community
FileSize
1037352-followup-12.patch1.39 KB

The original patch was already committed to D7, so #9 should apply fine there as well.

However, first we have to fix the conflicts that were introduced in D8...

Dries’s picture

Dries CreditAttribution: Dries commented
Version: 8.x-dev » 7.x-dev

Sorry about that. Committed #12 to my local 8.x tree, and will commit the changes shortly. Moving back to 7.x. Thanks David.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 1037352-followup-12.patch, failed testing.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Status: Needs work » Reviewed & tested by the community

Poor testbot. #9 is the one that's RTBC for Drupal 7.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Committed #9 to 7.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.