Make AccessManager stricter with values returned from access checkers [#2108829]

Updated: Comment #N

Problem/Motivation

After #2107137: Fix the DX for declaring custom access checkers we will have the ability to add one off custom access checks. These do not even have to implement accessInterface etc... So it makes sense to enforce that what is returned from access checkers in general is one of the AccessInterface constants.

Proposed resolution

Throw an exception in Access Manager if the return value is not one of the allowed constants. To also help with this, we may change the constants from bool/null values to strings. This will now allow people to just return TRUE, or any other value.

Remaining tasks

Patch (from related issue below), tests, fix other tests.

User interface changes

None

API changes

You have to use interface constants (which should be the case anyway).

#2107137: Fix the DX for declaring custom access checkers

Comment	File	Size	Author
#23	interdiff-2108829-23.txt	1.64 KB	damiankloip
#23	2108829-23.patch	11.21 KB	damiankloip
#23
#17	2108829-17.patch	11.16 KB	damiankloip
#17
#12	access-2108829.patch	11.15 KB	dawehner
#12
#12	interdiff.txt	587 bytes	dawehner
#10	interdiff-2108829-10.txt	3.58 KB	damiankloip
#10	2108829-10.patch	10.58 KB	damiankloip
#10
#8	interdiff-2108829-8.txt	2.18 KB	damiankloip
#8	2108829-8.patch	7.73 KB	damiankloip
#8
#5	interdiff-2108829-5.txt	1.55 KB	damiankloip
#5	2108829-5.patch	5.54 KB	damiankloip
#5
#3	interdiff-2108829-3.txt	2.25 KB	damiankloip
#3	2108829-3.patch	4.28 KB	damiankloip
#3
#1	2108829.patch	4.22 KB	damiankloip
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

damiankloip CreditAttribution: damiankloip commented 10 October 2013 at 08:14

Status:

Active

» Needs review

File	Size
2108829.patch	4.22 KB

Here's the initial patch (yoinked from related issue).

Comment #2

10 October 2013 at 09:49

Status:

Needs review

» Needs work

The last submitted patch, 2108829.patch, failed testing.

Comment #3

damiankloip CreditAttribution: damiankloip commented 6 November 2013 at 12:51

Issue summary:	View changes
Status:	Needs work	» Needs review

File	Size
2108829-3.patch	4.28 KB

interdiff-2108829-3.txt	2.25 KB

OK, rerolled for addition of AccountInterface for access checks and fix the actual test. The should pass now.

Comment #4

dawehner

German

CreditAttribution: dawehner commented 6 November 2013 at 15:51

Is there a reason why we haven't changed the actual values of these constants? Only that change ensures that we do use the proper values everywhere.

Comment #5

damiankloip CreditAttribution: damiankloip commented 6 November 2013 at 16:10

File	Size
2108829-5.patch	5.54 KB

interdiff-2108829-5.txt	1.55 KB

OK, I was going to have a follow up for that, but let's do it here. So how this gets on first.

I will update the tests for TRUE, FALSE in the next patch.

Comment #6

dawehner

German

CreditAttribution: dawehner commented 6 November 2013 at 17:35

I will update the tests for TRUE, FALSE in the next patch.

Do you talk about the default access checker here? Maybe we could do that in another issue.

Comment #7

6 November 2013 at 17:37

Status:

Needs review

» Needs work

The last submitted patch, 5: 2108829-5.patch, failed testing.

Comment #8

damiankloip CreditAttribution: damiankloip commented 6 November 2013 at 18:35

Status:

Needs work

» Needs review

File	Size
2108829-8.patch	7.73 KB

interdiff-2108829-8.txt	2.18 KB

Let's see if this fixes the tests.

Comment #9

6 November 2013 at 19:26

Status:

Needs review

» Needs work

The last submitted patch, 8: 2108829-8.patch, failed testing.

Comment #10

damiankloip CreditAttribution: damiankloip commented 7 November 2013 at 09:24

Status:

Needs work

» Needs review

File	Size
2108829-10.patch	10.58 KB

interdiff-2108829-10.txt	3.58 KB

Oh.. Let's try this. That Node revision check needs to return too, so let's return FALSE instead of NULL like it was doing before. Also fixed a couple of other unit tests.

Comment #11

7 November 2013 at 13:18

Status:

Needs review

» Needs work

The last submitted patch, 10: 2108829-10.patch, failed testing.

Comment #12

dawehner

German

CreditAttribution: dawehner commented 9 November 2013 at 16:35

Status:

Needs work

» Needs review

File	Size
interdiff.txt	587 bytes
access-2108829.patch	11.15 KB

This should fix the test failures.

Comment #13

damiankloip CreditAttribution: damiankloip commented 11 November 2013 at 07:53

The last one, great. I knew there would be one more access checker not playing by the rules. Shows that this patch is worth it IMO.

Comment #14

damiankloip CreditAttribution: damiankloip commented 20 November 2013 at 09:47

12: access-2108829.patch queued for re-testing.

Comment #15

20 November 2013 at 11:16

Status:

Needs review

» Needs work

The last submitted patch, 12: access-2108829.patch, failed testing.

Comment #16

damiankloip CreditAttribution: damiankloip commented 20 November 2013 at 12:14

Status:

Needs work

» Needs review

12: access-2108829.patch queued for re-testing.

Comment #17

damiankloip CreditAttribution: damiankloip commented 26 November 2013 at 07:39

File	Size
2108829-17.patch	11.16 KB

4 files were hidden/shown/deleted

File	Size
2108829-10.patch	10.58 KB

interdiff-2108829-10.txt	3.58 KB
interdiff.txt	587 bytes
access-2108829.patch	11.15 KB

Rerolled.

Comment #18

dawehner

German

CreditAttribution: dawehner commented 26 November 2013 at 07:46

Status:	Needs review	» Reviewed & tested by the community
Issue tags:		+undefined

Adding some tags.

Comment #19

26 November 2013 at 08:30

Status:

Reviewed & tested by the community

» Needs work

The last submitted patch, 17: 2108829-17.patch, failed testing.

Comment #20

damiankloip CreditAttribution: damiankloip commented 26 November 2013 at 08:46

Status:

Needs work

» Needs review

17: 2108829-17.patch queued for re-testing.

Comment #21

dawehner

German

CreditAttribution: dawehner commented 26 November 2013 at 19:42

Component:	base system	» routing system
Status:	Needs review	» Reviewed & tested by the community
Issue tags:	-undefined	+WSCCI

re-rtbc

Comment #22

Crell CreditAttribution: Crell commented 27 November 2013 at 04:13

Status:

Reviewed & tested by the community

» Needs work

+++ b/core/lib/Drupal/Core/Access/AccessManager.php
@@ -261,6 +261,11 @@ protected function checkAll(array $checks, Route $route, Request $request, Accou
+      if (!in_array($service_access, array(AccessInterface::ALLOW, AccessInterface::DENY, AccessInterface::KILL), TRUE)) {
+        throw new AccessException('Access services can only return AccessInterface::ALLOW, AccessInterface::DENY, or AccessInterface::KILL constants.');
+      }

Which access checker failed? If we're going to throw an exception with the expectation that it gets displayed, it should be helpful to the developer and say which access checker/method is Doing It Wrong(tm). That way it's easier to fix.

I like the idea of this patch on "fail usefully" grounds, but we should go all the way to failing very usefully.

Comment #23

damiankloip CreditAttribution: damiankloip commented 27 November 2013 at 07:41

Status:

Needs work

» Needs review

File	Size
2108829-23.patch	11.21 KB

interdiff-2108829-23.txt	1.64 KB

1 file was hidden/shown/deleted

File	Size
2108829-17.patch	11.16 KB

Ok, that IS a fair point I guess :)

Comment #24

dawehner

German

CreditAttribution: dawehner commented 27 November 2013 at 16:42

Status:

Needs review

» Reviewed & tested by the community

Good point!

Comment #25

catch

he/him

English

CreditAttribution: catch commented 1 December 2013 at 12:42

Status:

Reviewed & tested by the community

» Fixed

Committed/pushed to 8.x, thanks!

Comment #26

15 December 2013 at 12:50

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Make AccessManager stricter with values returned from access checkers

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Comment #21

Comment #22

Comment #23

Comment #24

Comment #25

Comment #26

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community

Make AccessManager stricter with values returned from access checkers

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Related Issues

Comments