Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
When installing a site from a minimal install profile, there is no 'administrator' role, so its presence cannot be assumed for all site implementations.
Within domain_entity_entity_access() there is a check for $user->hasRole("administrator") which is an attempt to return an early neutral access result on admin routes. The issue is that this ought to be permission based, rather than a role check.
The use case (hopefully a fairly broad requirement) we have users with a 'content editor' role with the 'publish to any domain' permission assigned. Given this permission comes from the domain_access module (a dependency of domain_entity) and this permission is used elsewhere in this module's code, the suggestion is to add an additional check for this permission and not rely on the administrator role. As existing sites may already be relying on the $user->hasRole("administrator") part we should probably leave it in place unless the maintainers agree a permissions based approach is best.
Steps to reproduce
Create domain records for 'gb' and 'de'
Install domain_entity and assign to a taxonomy vocab in the usual way - following steps in the README.
Create a taxonomy term and assign to 'gb'.
Try to edit the term on the 'de' domain with a user that doesn't have the administrator role.
Results in access denied.
Proposed resolution
if ($is_admin && ($user->hasRole("administrator")))
...should become something like...
if ($is_admin && ($user->hasRole("administrator") || $user->hasPermission('publish to any domain')))
Remaining tasks
Seek maintainers thoughts as to whether this approach is safe and ideal.
Are there alternative approaches, such as a new permission managed by the module, that could be used?
User interface changes
None.
API changes
Some sites may use the 'publish to any domain' permission in such a way that if used here for access control results in undesired behaviour. I can't see this really being common because the nature of the permission is that it's an admin level permission anyway where broad access control is granted.
Data model changes
None.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 3280169_1.patch | 594 bytes | barry_fisher |
Comments
Comment #2
barry_fisher commentedPatch with fix as initially described.
Comment #3
delta commentedComment #4
delta commentedHi @Barry_Fisher I've added you to the list of maintainer if you wish to release this fix
Comment #5
delta commentedit makes sense to me.
@andypost a second opinion on that would be good, and I leave it for a separate beta release where it can be outlined in the release notes.
Comment #6
delta commented-
Comment #7
delta commented-
Comment #8
delta commentedIt seems reasonable to assume that a user given the right to publish to any domains should also have access to all entities from any domain in the administration.
And it fix a valid use case too, so moving forward.
Comment #10
delta commentedreleased in beta8 https://www.drupal.org/project/domain_entity/releases/8.x-1.0-beta8