See #2945286: The "access overview" permission is not used/respected.

The EntityPermissionProvider provides access {$entity_type_id} overview. Generally this permission is used for the overridden collection routes of entities provided by a View. If the entity collection route is not overridden, the Core route provider sets the permission to the admin permission.

Entity API should have a route provider which respects the overview permission. It will need to check that the entity uses the EntityPermissionProvider handler and adds the overview permission alongside the admin permission.

CommentFileSizeAuthor
#2 2951270-2.patch4.81 KBmglaman

Comments

mglaman created an issue. See original summary.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented
Status: Active » Needs review
StatusFileSize
new 2951270-2.patch4.81 KB

Here is a patch. It would be simpler once in Core. Currently we have to provide an option for Admin and Default html route providers.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented 
  1. +++ /dev/null
@@ -1,7 +0,0 @@
-entity.entity_test_enhanced.collection:
-  path: '/entity_test_enhanced'
-  defaults:
-    _entity_list: 'entity_test_enhanced'
-    _title: 'Entity test with enhancements'
-  requirements:
-    _permission: 'administer entity_test_enhanced'

    This manual definition prevented the entity route subscriber from executing. 

  2. +++ b/tests/src/Kernel/OverviewPermissionTest.php
@@ -0,0 +1,48 @@
+  public function testOverviewPermissionRequirement() {
+    $router = $this->container->get('router');
+    $route = $router->getRouteCollection()->get('entity.entity_test_enhanced.collection');
+    $_permission = $route->getRequirement('_permission');
+    $this->assertEquals('administer entity_test_enhanced+access entity_test_enhanced overview', $_permission);
+  }

    Should I also test via Functional? Admin provider?

dawehner’s picture

dawehner
Primary language German
commented

Should I also test via Functional? Admin provider?

Functional test coverage sounds sensible here

The patch looks basically as expected.

lisastreeter’s picture

lisastreeter commented
Issue tags: +midcamp2018

Patch applies cleanly and works as expected.

bojanz’s picture

bojanz commented
Status: Needs review » Needs work

The providers look good.

The test looks bad. It's testing the same line that the code provides, which is fragile. I'd expect the test to have 3 users, one with no permission, one with the admin permission, one with the overview permission. Then we ensure that the last two grant access.

bojanz’s picture

bojanz commented
Title: Supply a RouteProvider which supports "overview" permissison for collection routes » Core's generated collection routes do not support the provided "access overview" permission
Category: Feature request » Bug report

Clarity.

  • bojanz committed 09b0767 on 8.x-1.x authored by mglaman 
    Issue #2951270 by mglaman, bojanz, dawehner, lisastreeter: Core's...
bojanz’s picture

bojanz commented
Status: Needs work » Fixed

Replaced the test and committed. Thanks!

tstoeckler’s picture

tstoeckler
he/him
Primary language German
Location Essen, Germany
commented

Just opened #2953566: Allow entities to specify a "collection permission" to "fix" this properly in core, FYI.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +API-First Initiative
Related issues: +#2953566: Allow entities to specify a "collection permission"