Problem/Motivation

The \Drupal\node\Form\RebuildPermissionsForm is accessible to any user with the access administration pages permission. Rebuilding permissions can be a long and very disruptive process for sites with lots of content access permissions and should be restricted to a higher level of permission.

In fact, the final step of the rebuild process redirects the user to /admin/reports/status which requires the administer site configuration so for certain configurations the user will be redirected to a 403 Access Denied message after the rebuild completes.

Steps to reproduce

  1. Flag permissions for rebuild.
  2. Log in as a user with the access administration page permission but not the administer site configuration permission.
  3. Observe a notification about rebuilding permissions and click the link to do so.
  4. Rebuild the permissions.
  5. Observe a 403 Access Denied response on completion.

Proposed resolution

Use the administer nodes permissions for access control to the rebuild form and operation.

This means the user could still end up with a 403 Access Denied without the additional administer site configuration permission but administer site configuration feels like it does not fit quite as well for the rebuild permission.

Remaining tasks

Create a branch with the propose change.

User interface changes

None.

API changes

None.

Data model changes

None.

Release notes snippet

Rebuilding permissions now requires the administer nodes permission. Previously only the access administration pages permission was required. Site owners should review and adjust permissions as necessary to ensure proper access to the rebuild permissions functionality.

Issue fork drupal-3318992

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

wells created an issue. See original summary.

wells opened merge request !2925

wells’s picture

wells
he/him/his
Primary language English
Location Seattle, WA
commented
Title: Increase access level required for content permissions rebuilds » 3318992-increase-access-level-for-content-permissions-rebuild
Status: Active » Needs review

MR!2925 opened with the proposed resolution.

wells’s picture

wells
he/him/his
Primary language English
Location Seattle, WA
commented
Title: 3318992-increase-access-level-for-content-permissions-rebuild » Increase access level required for content permissions rebuilds

Reverting issue title -- not sure why it changed...

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs subsystem maintainer review, +Needs change record

This issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge require as a guide.

Tried following the steps in the summary but when I go to admin/reports/status the rebuild happens so quick I don't see anything on my other browser.

But believe this kind of change will need subsystem maintainer reviewer and a change record.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Category: Feature request » Task
Issue tags: -Needs subsystem maintainer review +Needs release note

This makes sense to me, but because of the disruption would only happen in a minor release.

And because of that we need a release not snippet that advises site-owners of the permission change.

wells’s picture

wells
he/him/his
Primary language English
Location Seattle, WA
commented
Issue summary: View changes
wells’s picture

wells
he/him/his
Primary language English
Location Seattle, WA
commented
Status: Needs work » Needs review

I have rebased the MR and drafted a release note snippet and change record. Returning to NR for those changes.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs change record, -Needs release note

Took a look at the CR and release notes and they seem clear to me.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

  • catch committed e6793cab on 11.x 
    Issue #3318992 by wells, smustgrave, larowlan: Increase access level...
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed

Committed e6793ca and pushed to 11.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.