Currently we do all our assigning of permissions to roles in the install profile. This only works so long as the permissions page is not saved. Once it is, all permissions for disabled features get dropped. The result is that once a feature is enabled, an admin needs to then go and enable the permissions for the appropriate roles. Instead, each feature should be responsible for adding their permissions to our default roles upon being enabled.

We should also set a message describing which roles received which permissions. We want to avoid having an admin enable a feature, disable a permission for a particular role, disable the feature only to later re-enable it, and not have any indication that the permission was reset.

CommentFileSizeAuthor
#5 hostmaster-permissions.patch4.65 KBchertzog
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented
Title: Make features assign their permissions » Make features assign their own permissions

I had in mind something like this being called from each module's hook_enable():

/**
 * Add a module's permissions to the appropriate roles.
 *
 * @param $module
 *   The name of the module whose permissions we're adding.
 * @param $role_perms
 *   An array of arrays keyed by the role name. The values are the permissions
 *   to enable.
 */
function hosting_add_permissions($module, $role_perms) {
  // Get the permissions defined by the module.
  $perms = call_user_func($module . '_perm');
  // Check whether any of the module's perms are assigned to any role.
  foreach ($perms as $perm) {
    if (user_roles(FALSE, $perm) {
      // Don't proceed, as the feature has previously been enabled, and per-
      // missions may have been customized.
      return;
    }
  }

  // Get all defined roles.
  $roles = user_roles();
  // Get current permissions.
  $current = db_fetch_array(db_query('SELECT rid, perm FROM {permission}'));
  foreach ($role_perms as $role => $perms) {
    $rid = array_search($role, $roles);
    // Merge new permissions into current ones.
    $new_perms = array_merge($perms, explode($current[$rid]));
    // Save permissions for this role.
    db_query("INSERT INTO {permission} (rid, perm) VALUES (%d, '%s')", $rid, implode(', ', $new_perms));
    drupal_set_message(t('Assigned the <em>!role</em> role the following permissions: ' . implode(', ', $perms) . '.', array('!role' => $role)));
  }

  // Clear cached pages.
  cache_clear_all();

}

// EDIT: Note that I haven't tested this yet, so it's probably buggy in any number of ways.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Version: 6.x-2.x-dev » 7.x-3.x-dev

This goes in line with moving stuff out of the install profile too, so i'm all for it.

Just doesn't seem like a rush though.

chertzog’s picture

chertzog
he/him
Primary language English
Location Harrisburg, PA, USA
CreditAttribution: chertzog commented

Working from #1:


function hosting_task_enable(){
  $role_perms = array(
    'aegir administrator' = array(
      'administer tasks',
      'create backup task',
      'create restore task',
      'create disable task',
      'create enable task',
      'create delete task',
      'create verify task',
      'create lock task',
      'create unlock task',
      'create login-reset task',
      'create backup-delete task',
      'create clone task',
      'create migrate task',
      'view own tasks',
      'view task',
      'access task logs',
      'retry failed tasks',
      'cancel own tasks',
      'update status of tasks'
    ),
    'aegir client' = array(
      'create backup task',
      'create restore task',
      'create disable task',
      'create enable task',
      'create delete task',
      'create verify task',
      'create backup-delete task',
      'create migrate task',
      'view own tasks',
      'view task',
      'cancel own tasks',
    ),
    'aegir platform manager' = array(
      'administer tasks',
      'create lock task',
      'create unlock task',
      'create verify task',
      'access task logs',
      'cancel own tasks',
      'view own tasks',
      'retry failed tasks',
      'view task',
    ),
  );

  hosting_add_permissions('hosting_task', $role_perms);
}

Is this the desired way forward?

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Yes, something like that.

Since 'aegir administrator' should get all Hosting permissions, we could skip listing them individually. In hosting_add_permissions(), we could just add $perm to that role, since it'll already contain all the module's permissions.

chertzog’s picture

chertzog
he/him
Primary language English
Location Harrisburg, PA, USA
CreditAttribution: chertzog commented
Status: Active » Needs review
FileSize
hostmaster-permissions.patch4.65 KB

Here is a patch for this feature. It should apply to the current 7.x-3.x version of hosting.

http://drupalcode.org/sandbox/chertzog/2088757.git/patch/6e12380cce2dd7a...

Also, here is a patch against Hostmaster to remove the creation of the "administrator" role as this is provided by drupal core in D7, as well as remove all the permission assigning for hosting modules.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs review » Needs work

awesome, thanks for the patch!

here again: can you make sure you keep whitespace changes separate? otherwise it makes patches harder to review...

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

here is a patch against Hostmaster to remove the creation of the "administrator" role as this is provided by drupal core in D7,

Are you sure about that? This seems to indicate that it's still done in the install profile: http://drupalcode.org/project/drupal.git/blob/refs/heads/7.x:/profiles/s...

chertzog’s picture

chertzog
he/him
Primary language English
Location Harrisburg, PA, USA
CreditAttribution: chertzog commented

@anarcat - sorry about the whitespaces, i have sublime text set to remove all whitespace with each save.

@ergonlogic - oops. not used to working with install profiles. assumed that it was since it was always there when installing drupal.... my bad

anarcat’s picture

anarcat CreditAttribution: anarcat commented

you can use git add -p to choose which chunks to actually add to your commit to work around sublime's enthusiasm. :)

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Rather than requiring a hook_enable() to do this, maybe we can just add a 'role_perms' array in hook_hosting_feature(). That would centralize the data, and allow us to optionally display roles/perms on the features page.

We should probably also implement hosting_modules_enabled(), to ensure that any hosting features specific code runs when the module is enabled from admin/modules or via drush.

Finally, I'd added a bit of code in #1 to try and guess whether the permissions had been modified previously. I suspect we'd be better off not doing that, and letting the feature just set the permissions regardless.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

I added support for a 'role_perms' array in hook_hosting_feature(), as suggested in #10.

So far, I only added the permissions from the hosting module to its feature. So the rest of the extraction from the profile remains. Also, since we now have the option to display the roles and permissions assigned per feature on the hosting features page, I didn't list out the permissions added in our confirmation message. I'd like feedback on whether that is desired. It would potentially be a lot of info, since there are multiple permissions being assigned across several roles. However, since it has security implications, I'm leaning towards putting it in.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented
Issue summary: View changes
Status: Needs work » Fixed

I moved the rest of the permissions from the hostmaster profile to the individual modules, implemented hook_modules_enabled() and list the permissions added by enabling a feature. This should close out this feature request.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented
Status: Fixed » Needs work

Hmm, this has broken hostmaster-install, so definitely needs work. Fixing the dependencies listed in hosting.info is a good start.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented

Part of the problem was missing dependencies between a number of the hosting modules. But then after that, hosting will try to add a verify task for @hostmaster whenever it enables a feature. but since the profile hasn't created the site node yet, it fails with db errors. I'll just skip that bit for any required modules.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic commented
Status: Needs work » Fixed

That worked.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

  • Commit 4399cc7 on 7.x-3.x, dev-helmo-3.x by ergonlogic: 
    Issue #2041911: List hosting.module's permission assignments in its...
  • Commit d5d721d on 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2041911: Make features assign their own permissions.

  • Commit 4399cc7 on 7.x-3.x, dev-helmo-3.x by ergonlogic: 
    Issue #2041911: List hosting.module's permission assignments in its...
  • Commit d5d721d on 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2041911: Make features assign their own permissions.