Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
Current example routes advertise security as access: TRUE. There are concerns that we are modeling poor security and/or that copied code will have security flaws. See #2102659: Add new Form API example module for Drupal 8 for the genesis of this discussion.
Proposed resolution
For each example module, create an issue with the following requirements. Then set its parent issue to this one.
- All routes defined should use
requirements: <code>_permission: 'access content'. There might be some caveats where either more stringent requirements already exist, or which are special cases. Tool menu tests now need to reflect this new behavior. Add a step where we verify that the menu link does not exist when the user is anonymous, and that they do exist when the user has theNo change here anymore as Mile23 commented.'access content'permission.- Tests will likely need to be updated to log in a user before proceeding with the test. Authenticated users will receive the 'access content' permission by default.
Comments
Comment #2
Mile23I think 'access content' is reasonable because these modules might end up on a public site.
'view code examples' isn't such a great idea, because then that's an extra step for anyone trying to learn. The examples are supposed to illustrate as few things as possible, so that the code can be clear and there's not a lot of blind alleys for new devs.
Also we'll eventually have a routing example which should illustrate a lot of the access control stuff.
Leaving @todos around is bad, especially for examples, because in our case it should really be documentation.
Anyone want to audit the existing modules and see what changes we need? Maybe make some issues about them?
Comment #3
metzlerd CreditAttribution: metzlerd as a volunteer commentedCosmetics only.
Comment #4
Mile23Updating this to a meta, with some requirements.
Comment #5
Mile23Comment #6
metzlerd CreditAttribution: metzlerd as a volunteer commentedIm not sure we'll need separate users, but I can check this out. A default install usually grants the anonymous user 'access content' privileges . That is certainly the default configuration for drupal core. I'm also not sure we need to be testing core functionality here, do we?
Comment #7
Mile23Comment #8
Mile23Comment #9
marvil07 CreditAttribution: marvil07 as a volunteer commentedComment #10
sumthief CreditAttribution: sumthief as a volunteer and at DrupalJedi commentedAll children issues are fixed. Should change this issue status?
Comment #11
SKAUGHTplease revisit this issue. #2102677: Port tabledrag_example module to Drupal 8 comments #46 #47 #48
Comment #12
Torenware CreditAttribution: Torenware as a volunteer commented@SKAUGHT turns out to be right about this. I was working on a shiney new FunctionalTest, and discovered that if the node module is not enabled (this can happen in functional tests), the 'access content' permission will indeed fail for an anonymous user.
Since this issue is already marked fixed, I'm going to change it back. But I'm going to do a follow-up issue to fix the dependencies for examples.module.
Comment #13
Torenware CreditAttribution: Torenware as a volunteer commentedMarking this fixed again, since I've opened #2750555: Set modules which use 'access content' permission to have node as dependency to deal with @SKAUGHT's issue.