Drupal 10, the latest version of the open-source digital experience platform with even more features, is here.Currently we do all our assigning of permissions to roles in the install profile. This only works so long as the permissions page is not saved. Once it is, all permissions for disabled features get dropped. The result is that once a feature is enabled, an admin needs to then go and enable the permissions for the appropriate roles. Instead, each feature should be responsible for adding their permissions to our default roles upon being enabled.
We should also set a message describing which roles received which permissions. We want to avoid having an admin enable a feature, disable a permission for a particular role, disable the feature only to later re-enable it, and not have any indication that the permission was reset.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | hostmaster-permissions.patch | 4.65 KB | chertzog |











Comments
Comment #1
ergonlogicI had in mind something like this being called from each module's hook_enable():
// EDIT: Note that I haven't tested this yet, so it's probably buggy in any number of ways.
Comment #2
anarcat CreditAttribution: anarcat commentedThis goes in line with moving stuff out of the install profile too, so i'm all for it.
Just doesn't seem like a rush though.
Comment #3
chertzogWorking from #1:
Is this the desired way forward?
Comment #4
ergonlogicYes, something like that.
Since 'aegir administrator' should get all Hosting permissions, we could skip listing them individually. In hosting_add_permissions(), we could just add $perm to that role, since it'll already contain all the module's permissions.
Comment #5
chertzogHere is a patch for this feature. It should apply to the current 7.x-3.x version of hosting.
http://drupalcode.org/sandbox/chertzog/2088757.git/patch/6e12380cce2dd7a...
Also, here is a patch against Hostmaster to remove the creation of the "administrator" role as this is provided by drupal core in D7, as well as remove all the permission assigning for hosting modules.
Comment #6
anarcat CreditAttribution: anarcat commentedawesome, thanks for the patch!
here again: can you make sure you keep whitespace changes separate? otherwise it makes patches harder to review...
Comment #7
ergonlogicAre you sure about that? This seems to indicate that it's still done in the install profile: http://drupalcode.org/project/drupal.git/blob/refs/heads/7.x:/profiles/s...
Comment #8
chertzog@anarcat - sorry about the whitespaces, i have sublime text set to remove all whitespace with each save.
@ergonlogic - oops. not used to working with install profiles. assumed that it was since it was always there when installing drupal.... my bad
Comment #9
anarcat CreditAttribution: anarcat commentedyou can use git add -p to choose which chunks to actually add to your commit to work around sublime's enthusiasm. :)
Comment #10
ergonlogicRather than requiring a hook_enable() to do this, maybe we can just add a 'role_perms' array in hook_hosting_feature(). That would centralize the data, and allow us to optionally display roles/perms on the features page.
We should probably also implement hosting_modules_enabled(), to ensure that any hosting features specific code runs when the module is enabled from admin/modules or via drush.
Finally, I'd added a bit of code in #1 to try and guess whether the permissions had been modified previously. I suspect we'd be better off not doing that, and letting the feature just set the permissions regardless.
Comment #11
ergonlogicI added support for a 'role_perms' array in hook_hosting_feature(), as suggested in #10.
So far, I only added the permissions from the hosting module to its feature. So the rest of the extraction from the profile remains. Also, since we now have the option to display the roles and permissions assigned per feature on the hosting features page, I didn't list out the permissions added in our confirmation message. I'd like feedback on whether that is desired. It would potentially be a lot of info, since there are multiple permissions being assigned across several roles. However, since it has security implications, I'm leaning towards putting it in.
Comment #12
ergonlogicI moved the rest of the permissions from the hostmaster profile to the individual modules, implemented hook_modules_enabled() and list the permissions added by enabling a feature. This should close out this feature request.
Comment #13
ergonlogicHmm, this has broken hostmaster-install, so definitely needs work. Fixing the dependencies listed in hosting.info is a good start.
Comment #14
ergonlogicPart of the problem was missing dependencies between a number of the hosting modules. But then after that, hosting will try to add a verify task for @hostmaster whenever it enables a feature. but since the profile hasn't created the site node yet, it fails with db errors. I'll just skip that bit for any required modules.
Comment #15
ergonlogicThat worked.