JSON API incorrectly requires the "access content" permission for *all* routes [#2940336]

Problem/Motivation

Discovered in #2930028-42: Comprehensive JSON API integration test coverage phase 1: for every entity type, individual resources only.

This is a WTF for developers. Consequently, it also muddles the test coverage that must ensure proper authorization is granted .

This was fine in an initial development phase, but now it seems like this is security through obscurity?

Proposed resolution

Stop requiring the access content permission.

Remaining tasks

Discuss

User interface changes

None.

API changes

None. (Well, no longer requires the access content permission.)

Data model changes

None.

Comment	File	Size	Author
	2940336-10-follow_up.patch	2.2 KB	wim leers
#2	2940336-2.patch	2.4 KB	wim leers

Comments

Comment #1

29 January 2018 at 14:28

Wim Leers created an issue. See original summary.

Comment #2

wim leers

Ghent 🇧🇪🇪🇺

commented 29 January 2018 at 14:29

Status:

Active

» Needs review

Status	File	Size
new	2940336-2.patch	2.4 KB

Comment #3

gabesullice

English

commented 30 January 2018 at 13:53

Status:

Needs review

» Reviewed & tested by the community

LGTM

Comment #4

wim leers

Ghent 🇧🇪🇪🇺

commented 31 January 2018 at 22:46

I think this either needs:

sign-off from @e0ipso or
very strong indications that this was not an intentional decision

I did some git archeology, and it looks like this was introduced by @e0ipso in commit a6dd110c in August 2016, without a d.o issue. Because there's a fair amount of placeholder code/TODOs in that commit, I think it's 99% likely that the access content permission being required was just a "let's get the basics working" thing.
I think that qualifies as a very strong indication.

Comment #5

e0ipso

Catalan

Can Picafort

commented 4 February 2018 at 08:55

I think it's 99% likely that the access content permission being required was just a "let's get the basics working" thing.

Thank you @Wim Leers. That is 100% true. 😛

Comment #6

e0ipso

Catalan

Can Picafort

commented 4 February 2018 at 08:57

Issue tags:

+Needs reroll

I wanted to commit, but it seems the patch does not apply after pulling latest changes.

Comment #7

4 February 2018 at 08:58

e0ipso committed d0b577f on 8.x-1.x authored by Wim Leers

Issue #2940336 by Wim Leers, e0ipso, gabesullice: JSON API incorrectly...

Comment #8

e0ipso

Catalan

Can Picafort

commented 4 February 2018 at 08:58

Status:

Reviewed & tested by the community

» Fixed

Comment #9

wim leers

Ghent 🇧🇪🇪🇺

commented 5 February 2018 at 11:29

Great, thanks Mateu! :D

Comment #11

2 March 2018 at 19:24

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

JSON API incorrectly requires the "access content" permission for all routes

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #11

Related issues

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community