Add status report message about JSON:API's read-only mode

The patch is working perfectly. Thanks

#3 patch

Site administrators easily configured both read and all Json api operations . Also I have reviewed and tested. #3patch worked for me.

Looks good, Wim. Thanks!

I think this is reusing text from our previous UX reviews when we were working to add the module to core. Can someone confirm? If so we don't need UX review a second time.

+++ b/core/modules/jsonapi/jsonapi.install
@@ -58,7 +58,14 @@ function jsonapi_requirements($phase) {
+      'description' => t('It is recommended to only enable all operations if the site requires it. <a href=":docs">Learn more about securing your site with JSON:API.</a>', [
+        ':docs' => 'https://www.drupal.org/docs/8/modules/jsonapi/security-considerations'
+      ]),

One possible UX concern for me is that unlike the field on the form you don't know if the description applies to your current setting on not. If you have it set to "Read only operations" you are not able see that the other possibility is "All operations..." but you'll set the description. I think we should only display the description if we're not in read only mode. Also I think that maybe the description probably should also contain a link to the config page where the user can change this. Otherwise the user has to navigate a tortuous route via d.o if they think "oh I'd like to change this".

Nice change.

+++ b/core/modules/jsonapi/jsonapi.install
@@ -58,7 +60,17 @@ function jsonapi_requirements($phase) {
+        'value' => t('All operations (create, read, update, delete) are allowed'),

Supernitpick: I think this is missing a final period, since it's a sentence rather than a single phrase/label.

Also, saving issue credit.

#16 I have rebuild the phrase.

@Wim Leers
I changed the phrase because as @xjm mentioned in#16 it is a sentence not a label or phrase so we require final period after that.

As per my understanding, if we will mention like below then no trailing period is required as itself completes the label and will maintain symmetry with other JSON API labels

+ 'value' => t('Allows all (create, read, update, delete)operations')

Please check. I might be wrong as well

Review

Sorry @Wim leers
I think I am misleading you. What I meant is if we put period in sentence then it will not act as label and will loose its symmetry with other labels. Attaching screenshot for reference. This was what I meant. May be I am not understanding the concern.

@shimpy is correct the value part of a requirement shouldn't have a full stop - see screenshot of existing sentence in a value...

Re-uploading #14 as that's the correct patch as far as I can see.

Lol... context... so the Drupal core update status warning does not have a full stop but the experimental module warning does ... /shrug we are inconsistent. But the fullstop is much rarer. See screenshot:

I think there's a better way. One sec and I'll post a patch.

I think the attached patch is more inline with what value is expected to be. It also means that if you change to read-only the information is still there and hasn't suddenly gone missing.

I've updated the screenshots in the issue summary.

@alexpott and @wim leers #25 seems more consistent. Works for me as well.

Awesomesauce!

Committed and pushed to 8.8.x. Thanks!

Wim and I debated backporting this to 8.7.x (it cherry-picks cleanly), since it's a security improvement, but also a string addition. Thoughts?