Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
That's a challenging one...
We have implemented our custom summary method and said inaccessible Paragraphs should not have the Edit button, but the summary.
Now turns out that for instance unpublished Paragraphs loose access and thus the summary doesn't render anything at all.
This even effects all nested children if you unpublish a parent Container Paragraph.
Proposed resolution
We need a summary for non-editable things.
The problem here is that
- outputting the inaccessible elements could be a security breach.
- the user might not even have view permission to the elements and still should see a summary.
Remaining tasks
Define precisely when we output elements that are inaccessible for the current user.
User interface changes
Comment | File | Size | Author |
---|---|---|---|
#20 | interdiff-2937660-18-20.txt | 649 bytes | johnchque |
#20 | empty_summary-2937660-20.patch | 5.51 KB | johnchque |
| |||
#18 | interdiff-2937660-17-18.txt | 1.17 KB | johnchque |
#18 | empty_summary-2937660-18.patch | 5.51 KB | johnchque |
#17 | interdiff-2937660-14-17.txt | 655 bytes | johnchque |
Comments
Comment #2
miro_dietikerComment #3
miro_dietikerDiscussed and decided to improve the summary:
Since this raises the complexity, chances are that we need summary caching to keep the UI fast in this issue:
#2935134: [meta] Improve performance of paragraphs widget
At least before commit, we should do profiling.
Comment #4
johnchqueThis should work, tests added. :)
Comment #6
johnchqueNot really sure why this is failing, this works fine locally.
Comment #8
BerdirComment #9
BerdirNot sure what the problem is. But the default widget is radios which looks weird and is not how you'd actually configure a published status. So lets try with a checkbox instead. Works fine locally.
There are still more things about the status that we should consider, one is that this still displays an info in the backend summary as an icon that the paragraph is not accessible by you, should probably instead check for status specifically and provide a better message. But that's like a different issue.
Comment #10
johnchqueYeah, the icon can have a better message by checking the status. +1 for that. Anything else to do in this issue?
Comment #11
johnchqueAdding related issue for icon description.
Comment #12
BerdirI'd like to do some profiling on this, the access checks on each field do add a bit of overhead. Wondering if a possibly simple improvement would be to special case the base fields and only loop over configurable fields. Will have a look.
Comment #13
BerdirProfiled.
As I feared, I'm seeing a 60% increase on a page with a lot of paragraphs being displayed.
What I've noticed before is that we loop over base fields but we never actually add anything from them anyway. If we add code to skip them, then that about levels out the difference and in my testing, it was just 2% slower. Like this:
> if ($field_definition instanceof BaseFieldDefinition || !$this->get($field_name)->access('view')) {
also include a comment as to why.
This also means we can skip a check a bit later that excludes type/uid/revision_uid (the uid fields don't exist anyway)
Comment #14
johnchqueIndeed, added and commented. :)
Comment #15
BerdirComment could maybe be a bit better, lets see what Miro thinks.
Comment #16
miro_dietikerSo we had lots of discussions about edge cases, known limitations and fun problems such as multilingual fallbacks...
But that can be all covered in one of the many follow-ups (tm) we have to create based from our learnings... ;-)
...except this:
Let's check here for edit OR view permissions to avoid potential security issues.
Comment #17
johnchqueAdding edit access check. :)
Comment #18
johnchqueOops sorry, it should be better now.
Comment #20
johnchqueMy bad, it wasn't edit, it was update.
Comment #21
BerdirWas about to write that in a comment but crossposted with you. This should be fine now. Writing test coverage for this would probably be quite tricky, seems enough to have the permission and making sure we can see summary of unpublished paragraphs.
Comment #23
miro_dietikerVery nice, committing. :-)