Closed (fixed)
Project:
Drupal core
Version:
8.4.x-dev
Component:
rest.module
Priority:
Normal
Category:
Bug report
Assigned:
Issue tags:
Reporter:
Created:
16 Jan 2017 at 06:00 UTC
Updated:
7 Jun 2017 at 17:05 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #3
jamesdeee commentedPlease see my note on https://www.drupal.org/node/2843756#comment-11983203.
I'm keen to help with these issues but I'm having some trouble using the FieldStorageConfig entity, so I'm going to switch over to the views entity, which I can get to work with the REST module. Hopefully on the way I'll learn enough to be able to go back to the FieldStorageConfig entity, but for now I'm going to put that one on hold and try to write tests for the view entity.
Comment #4
wim leersGreat! :)
Comment #5
Anonymous (not verified) commentedThis patch will fail. Way to pass:
Comment #7
Anonymous (not verified) commentedMaybe we can use
'access content'like in #2843772: EntityResource: Provide comprehensive test coverage for DateFormat entity. I have already tried to do this for #2843783-5: EntityResource: Provide comprehensive test coverage for Menu entity. But the View is a more complex module than Menu, so let's first to see what additional artifacts will appear after change this permission.Comment #8
Anonymous (not verified) commentedAll tests passed! So we can try to make changes in our tests like #2843783-5: EntityResource: Provide comprehensive test coverage for Menu entity.
@jamesdesq, do you still have a desire to help with this?
Comment #9
jamesdeee commentedHi, @vaplas - yes I do. I'm really still learning about how functional testing works, but if there's something I can do let me know. Would you like me to review it?
Comment #10
wim leers@vaplas #7 is testing
Menu, notView… so the fact that #7 passes tests doesn't help you here :)Comment #11
jamesdeee commentedI've applied both patches to a fresh 8.3 install, and I'm still getting an error on the three testGets. It's entirely possible this is something I'm doing wrong, though. I've got to go work now, but I'll run them again a bit later on and see if I still get the same result.
for reference, the errors are as follows:
Failed asserting that 200 is identical to 403.
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/ResourceTestBase.php:361
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/ResourceTestBase.php:385
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php:378
Failed asserting that 200 is identical to 401.
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/ResourceTestBase.php:361
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/ResourceTestBase.php:385
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/BasicAuthResourceTestTrait.php:35
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php:356
Failed asserting that 200 is identical to 403.
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/ResourceTestBase.php:361
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/ResourceTestBase.php:385
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/CookieResourceTestTrait.php:98
/Users/james/Sites/d8dev/docroot/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php:356
Comment #12
wim leersThat's because the patch in #7 is wrong, like I said in #10.
Comment #13
jamesdeee commentedSo I tried adding
...to ViewsAccessControlHandler.
I've also added that permission to the grantPermissionsToTestedRole function in setUpAuthoriation in the test base file. I get a new error (which is nearly as good a successful result, IMHO), saying:
Failed asserting that two strings are identical.
Expected :{"message":"The \u0027administer views\u0027 permission is required."}
Actual :{"message":"The \u0027access content\u0027 permission is required."}
So I guess I have two questions:
1) Should the permission on on ViewsAccessControlHandler by administer views, rather than access content? (I've tried changing it, but I get the same error I've posted above)
2) I don't really understand why I'm getting an error saying the user needs a permission that I've explicitly assigned in the setup.
Comment #14
Anonymous (not verified) commented#10: oppps :) Thank you!
#11: yeah, as mentioned in #10 and #12, I sent a useless patch, sorry for this misunderstanding.
#12: sounds like absolutely right actions! It remains to slightly correct the expected error message from GET request. See
getExpectedUnauthorizedAccessMessage()change in interdiff for Menu.It is also very useful to attach the results of current work to the issue, so that others can also move forward and make review code.
Comment #15
Anonymous (not verified) commentedSo, about you questions:
12.1: we need
'access content'for GET, and'administer views'for POST, PATCH, DELETE, since it is these requirements that theViewsAccessControlHandlerposes after your change.12.2: This is ok, because by default
getExpectedUnauthorizedAccessMessagegenerate message with admin permission:Now we have special case, when GET has other permission, hence we need bit override this function to our case too.
Comment #16
jamesdeee commentedSo it looks as though, with the following changes, the tests pass:
ViewAccessControlHandler needs the permission condition added to the check access function, as follows:
ViewResourceTestBase needs both the administer views and the check access permission:
And finally the getExpectedAuthorizedMessage function on EntityResourceTestBase needs a switch in it to return the correct error on GET:
The only thing I'm wondering is, will the change to EntityResourcTestBase mess up other people's tests? Should I be extending the ViewsResourceTestBase instead?
Comment #17
jamesdeee commentedOK, right, that seems to work. I've added the following function to ViewResourceTestBase:
So I should put this all into a patch, I guess?
Comment #18
jamesdeee commented...which I guess should look like this?
Comment #19
Anonymous (not verified) commented@jamesdesq thank you, I think this is what we really need! Bit remarks:
This short change looks pretty, but this means that we set unnecessary permission
'administer views'to GET, and unnecessary'access content'permission to POST, PATCH and DELETE. Usually in such cases we dividing the permissions by $method viaiforswitch. Like:Why we need next change:
your patch pass locally without this conditional too.
Also you attached patch like interdiff between #7, it is helpfull for review, but for Bot we also need full patch (combine this patch and #7 patch) and change issue status to Need review to run testing.
Comment #20
Anonymous (not verified) commentedOh, I meant #5 patch of course. Forget about #7, please :)
Comment #21
jamesdeee commentedThanks @vaplas. You're right, it makes sense to switch the permissions like that. I've put both patches together and added the condition on the http verb.
Thanks for all your help with this - I've really learned a lot!
Comment #22
Anonymous (not verified) commentedComment #24
wim leersJust one nit! One extraneous
\nin here.Then this is RTBC :)
It's so great to hear from @vaplas that he's learning a lot, then seeing @vaplas mentor @jamesdecq, and then seeing @jamesdecq thank @vaplas! Thank you both for being so helpful, so constructive, and so eager to absorb & spread knowledge!
Comment #25
Anonymous (not verified) commentedFantastic support from the mantainer of this component defenitely impact on the results!
@jamesdesq, I also learn a lot in these topics.
I was afraid of the consequences after change in the
ViewsAccessControlHandler, but #21 green - super!You still decided to leave this code, why? + #24 point.
Comment #26
jamesdeee commented@vaplas - I think I misunderstood the point you were making in #19 with regard to the extraneous condition. I've removed it now. It's also entirely possible I hadn't drunk enough coffee when I made the patch this morning.
@wim - I'm not sure I understand what you mean. Do you mean there's a line break between the - and > on the pointer? I can see that in the code you've quoted in #24, but I can't see it in the patch I uploaded at #21. Am I missing something?
Let me know and I'll redo the patch.
Comment #27
Anonymous (not verified) commented#24 just a 'nit' clean-up. Delete an empty line at the beginning of the function for general purity :)
Comment #28
jamesdeee commentedGreat - thanks again!
So, this patch has the stray line ending removed from the getExpectedUnauthorizedAccessMessage function, as well as the unnecessary condition.
Comment #29
jamesdeee commentedComment #30
wim leers#25: great remark! Thanks for spotting that :)
#28: Yep, that's it! Thanks :) Next time, can you please include an interdiff? That makes it easy to see what changes you made. See https://www.drupal.org/documentation/git/interdiff.
For this time, I did that manually, and I can confirm the changes are sound.
Thanks, @jamesdesq & @vaplas!
Comment #31
jamesdeee commented@wim-leers - I didn't realise interdiff was a thing - but next time I'll definitely use it.
Is there anything that needs to happen, next-steps-wise? Looking at https://www.drupal.org/node/2843756, it seems like @alexpott eventually reviewed it and committed it - which I assume he can do because he's a co-maintainer? So I'm assuming that all the work here is done and we just wait for the patches to get included in a release?
Last up, thanks again to both @wim-leers and @vaplas for everything. I've had a couple of false starts with contributing in the past, but this has been a really positive experience for me, and I'm going to try to pick up another of the outstanding test tickets on the parent issue as soon as I can.
Comment #32
wim leersNope, this is ready! It's RTBC now: . The next step is that a Drupal core committer takes a look at it, and either finds problems and marks this Needs work, or (s)he commits it and marks it Fixed :)
So, yes, this is now just waiting — nothing more to do here!
I'm very glad you found this such a positive experience — looking forward to seeing you on one of the other remaining test issues on the parent issue!
Comment #33
alexpottThis needs more discussion. As per the other issues. See #2843772-15: EntityResource: Provide comprehensive test coverage for DateFormat entity
Also what doesn't viewing the view entity mean?
Comment #34
wim leersI'm assuming this is referring to
This code means it was literally impossible to configure your site to disallow access to this entity. Which means you cannot possibly ever deny access to it. Which means anonymous users can always see this.
This is at least a small step forward. May need further refinement.
That being said, this is blocked on #2870018: Should the 'access content' permission be used to control access to viewing configuration entities via REST reaching consensus first.
Comment #35
wim leersConsensus was achieved! Quoting #2870018-35: Should the 'access content' permission be used to control access to viewing configuration entities via REST:
Comment #36
wim leersComment #37
alexpottComment #38
alexpottFixing the open access is a bug fix.
Comment #39
alexpottCommitted c0a1c92 and pushed to 8.4.x. Thanks!
I discussed this with @catch because of the class removal. Whilst entity handlers are explicitly not API (see https://www.drupal.org/core/d8-bc-policy) removing a class in a bug fix feels off.
If we want to backport this we should deprecate it in 8.3.x and say it is going to be removed in 8.4.x.
Not sure that this is worth it but if contributors do - feel free to re-open and port the patch to 8.3.x by doing the above steps.
Comment #41
wim leersYay, thanks! Updated #2824572: Write EntityResourceTestBase subclasses for every other entity type..