Entity types making use of DefaultHtmlRouteProvider's auto-generated collection route, will currently only grant access to users with the admin permission to the collection. Often it makes sense, however, to grant users access to the collection route even if they do not have full administrative powers. To facilitate this, entity types can now add a "collection permission" to their annotation similar to the admin permission:
/**
* @ContentEntityType(
* ...
* handlers = {
* "list_builder" = "Drupal\my_awesome_module\MyAwesomeListBuilder",
* "route_provider" = {
* "html" = "Drupal\Core\Entity\DefaultHtmlRouteProvider",
* },
* },
* links = {
* "collection" = "/admin/structure/my-awesome-entities",
* },
* admin_permission = "administer my awesome entities",
* collection_permission = "access the awesome entity overview",
* )
*/
Users that have either the admin permission or the collection permission will be allowed to access the generated collection route.
Modules providing generic entity functionality may consider whether relying on the collection permission to check access for certain lists or collections of entities is a good fit for them. Note that, in particular, the following core modules do not check for the collection permission:
- JSON:API: The entity-type specific JSON:API collection routes do not check for the collection permission. They already do not check for the admin permission, so the behavior is consistent with entity types that do not declare a collection permission: Access to each entity is checked individually so for users without any permissions an empty list is displayed (regardless of whether the entity type declares a collection permission)..
- Rest: Rest module does not provide collection routes.
- Views: Views displays, including Rest Export displays, can be configured to check for any permission as part of their access control, so they can be configured to check for the collection permission, but they do not inherently do so.
