403 responses to REST PATCH requests now specify the reason for disallowing PATCHing a field

By Wim Leers on 16 May 2018

Change record status:

Published (View all published change records)

Project:

Drupal core

Introduced in branch:

8.6.x

Introduced in version:

8.6.0

Issue links:

https://www.drupal.org/node/2938035

Description:

Impact for API clients/consumers

Improved DX:

Before

{"message":"Access denied on updating field 'sticky'."}

After

{"message":"Access denied on updating field 'sticky'. The 'administer nodes' permission is required."}

Impact for modules providing entity types that have REST test coverage

Improved test coverage, for tests classes which subclass \Drupal\Tests\rest\Functional\EntityResource\EntityResourceTestBase:

Before

  protected static $patchProtectedFieldNames = [
    'revision_timestamp',
    'revision_uid',
    'created',
    'changed',
    'promote',
    'sticky',
    'path',
  ];

After

  protected static $patchProtectedFieldNames = [
    'revision_timestamp' => NULL,
    'revision_uid' => NULL,
    'created' => "The 'administer nodes' permission is required.",
    'changed' => NULL,
    'promote' => "The 'administer nodes' permission is required.",
    'sticky' => "The 'administer nodes' permission is required.",
    'path' => "The following permissions are required: 'create url aliases' OR 'administer url aliases'.",
  ];

Impacts:

Module developers

Themers

Updates Done (doc team, etc.)

Online documentation:

Not done

Theming guide:

Not done

Module developer documentation:

Not done

Examples project:

Not done