Problem/Motivation

This is a follow-up of #2155787: Introduce more flexible access control for content translation operations where @kfritsche mentioned in #2155787-22: Introduce more flexible access control for content translation operations that it would be useful to be able perform access checks for the translation create operation based on the target translation language.

Proposed resolution

Add a $context parameter to the access check methods and pass the language code of the target translation when checking the access for the translation create operation :

  • \Drupal\Core\Access\AccessibleInterface::access()
  • \Drupal\Core\Entity\EntityAccessControlHandlerInterface::access()

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
#22 2985657-22-11.3.x.patch12.42 KBhchonov
#21 interdiff-20-21.txt1.01 KBhchonov
#21 2985657-21-10.5.x.patch12.13 KBhchonov
#20 2985657-20-10.5.x.patch12.11 KBhchonov
#19 2985657-19-10.5.x.patch11.25 KBhchonov
#16 2985657-nr-bot.txt150 bytesneeds-review-queue-bot
#3 drupal_2985657_2.patch35.05 KBchristian.wiedemann
#2 drupal_2985657_1.patch34.9 KBchristian.wiedemann

Comments

hchonov created an issue. See original summary.

christian.wiedemann’s picture

christian.wiedemann commented
StatusFileSize
new drupal_2985657_1.patch34.9 KB

The patch moves translation access logic to an own translation_access handler (ContentTranslationAccessControlHandler ) and makes it easy to allow modules to check per-entity if it is allowed to create/update/delete an entity translation. Maybe we should add an EntityValidation Handler to validate on save .
The $context for createAccess contains the translation language as langcode and the entity as source_entity.
I marked getTranslationAccess() as deprecated. Hope this points into the right direction.

christian.wiedemann’s picture

christian.wiedemann commented
StatusFileSize
new drupal_2985657_2.patch35.05 KB

Now with correct root folder

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Active » Needs review
berdir’s picture

berdir
Primary language German
Location Switzerland
commented 
  1. +++ b/core/modules/content_translation/content_translation.api.php
@@ -0,0 +1,72 @@
+ * @see \Drupal\content_translation\ContentTranslationHandler
+ *
+ * @ingroup content_translation
+ */
+function hook_entity_translation_access(\Drupal\Core\Entity\EntityInterface $entity, $operation, \Drupal\Core\Session\AccountInterface $account) {
+  // No opinion.
+  return AccessResult::neutral();
+}
+
+/**

    Have you seen the discussion in the related issue?

    I don't see how there can be a difference between the existing access checks for update/delete *if* we ensure that the entity is passed in in the right language. 

  2. +++ b/core/modules/content_translation/content_translation.api.php
@@ -0,0 +1,72 @@
+ *   An associative array of additional context values. By default it contains
+ *   language and the entity type ID:
+ *   - entity_type_id - the entity type ID.
+ *   - langcode - the translation language code.
+
+ * @return \Drupal\Core\Access\AccessResultInterface
+ *   The access result. The final result is calculated by using
+ *   \Drupal\Core\Access\AccessResultInterface::orIf() on the result of every
+ *   hook_entity_translation_access_create() implementation, and the result of the
+ *   permissions checks in createAccess() method in the content access
+ *   translation handler.
+ *
+ * @see \Drupal\content_translation\ContentTranslationHandler
+ *
+ * @ingroup content_translation
+ */
+function hook_entity_translation_access_create(\Drupal\Core\Entity\EntityInterface $entity, \Drupal\Core\Session\AccountInterface $account, $context = []) {
+  // No opinion.

    The create access on the other hand is different, there we need additional information (the language, not sure what else, the entity type id is not needed, you can get that from the entity)

    My suggestion would be to limit this issue to create access only, like the issue title says, and leave it to the referenced issue to figure out how to dea with update/delete.

christian.wiedemann’s picture

christian.wiedemann commented

Sorry now i get it and you are completly right. It does not make sense to have own checks for update/delete

Maybe we don't need them for create either. Simple call the EntityAccessControlHandler::createAccess and simple provide the "source translation entity id" as $context parameter inside the overview controller. Lancode is already a context parameter.
(Would need another patch to handle the static cache correctly inside EntityAccessControlHandler)

Another option would be to move access logic to an own handler (ContentTranslationAccessControlHandler with createTranslationAccess and getTranslationAccess)

In both cases we must call the check also "before save" because only than we have the correct language.

What do you think?

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

matthiasm11’s picture

matthiasm11 commented

#3018576: Content translation should allow for a language-aware access checks deprecates getTranslationAccess() which means this issue can't make it into core if so.
Please use #3056020: Content translation access control to agree on an implementation plan.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 2985657-nr-bot.txt150 bytes

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

hchonov’s picture

hchonov
Primary language Bulgarian
Location Burgas
commented
Status: Needs work » Needs review
StatusFileSize
new 2985657-19-10.5.x.patch11.25 KB

I came up with the following idea where I add to \Drupal\content_translation\ContentTranslationHandler::getTranslationAccess() an entity_access hook invocation by prepending the operation with "translation_" e.g. becoming "tranlation_create", "translation_update", "translation_delete" and also passing additional \$context variable with the source and target language in the case of "translation_create".

One of the major changes here is that \Drupal\content_translation\Access\ContentTranslationManageAccessCheck::access() does not anymore return early if the user has the permission translate any entity, but makes sure that all other checks are executed first including the hooks, that could forbid access. It now instead relies on \Drupal\content_translation\ContentTranslationHandler::getTranslationAccess() to check that permission, as it already does anyway.

Patch is pretty rough only as an idea and based on 10.5 since I need once again a similar solution.

hchonov’s picture

hchonov
Primary language Bulgarian
Location Burgas
commented
StatusFileSize
new 2985657-20-10.5.x.patch12.11 KB

I've forgotten to add the context at one place.

hchonov’s picture

hchonov
Primary language Bulgarian
Location Burgas
commented
StatusFileSize
new 2985657-21-10.5.x.patch12.13 KB
new interdiff-20-21.txt1.01 KB

Edge case fix when there are no translations yet.

hchonov’s picture

hchonov
Primary language Bulgarian
Location Burgas
commented
StatusFileSize
new 2985657-22-11.3.x.patch12.42 KB
smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Have not reviewed but changes should be in MRs please