Problem/Motivation

Messages warning users that permissions may need to be rebuilt can be shown to users who cannot access the permission rebuild page. This may cause confusion and frustrations to users.

Steps to reproduce

  1. Create a "User admin" role
  2. Give the User admin the "administer users" permission
  3. As a user with the role of "User admin", update any user's roles
  4. After saving the user you should see the "Your changes have been saved. You may have to rebuild permissions for your changes to take effect." message
  5. Clicking on the link to rebuild permissions gives you a 403 error

Proposed resolution

Check a user's permissions before adding the message.

Remaining tasks

Add permission check

User interface changes

Message will be hidden for users who cannot rebuild permissions.

API changes

None

Data model changes

None

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

averagejoe3000 created an issue. See original summary.

averagejoe3000’s picture

steven jones’s picture

Status: Active » Needs work

@averagejoe3000 thanks for the work here.

I suppose that we should add a test to ensure that we don't show the message to someone who can edit the settings, but not rebuild the access permissions.

joao.ramos.costa’s picture

Hi !
IMO the availability of this messages — considering that in my experience, access to these forms is usually granted to users with elevated permissions — could be something configurable within the module itself, WDYT ?

Thank you!

quadrexdev made their first commit to this issue’s fork.

quadrexdev’s picture

Assigned: averagejoe3000 » Unassigned
Status: Needs work » Needs review

Added test coverage and used ->access($current_user) to check access, instead of a permission check.

Please review.

alt36’s picture

I think a better approach for both this issue and the underlying original issue #3357181: Does not react to role changes is to just call node_access_needs_rebuild(TRUE) rather than showing a message via content_access_user_update().

  1. The current implementation uses addMessage() to show a message to the user, but that only gets displayed once. My reading of #3357181: Does not react to role changes is that this check was added in order to make sure a site owner knows that permissions need to be rebuilt
  2. DRY: the node_help() implementation in core already performs multiple checks to decide if the "needs rebuild" message should be shown, including but not limted to checking if the user has the right permission. (NB node_help() currently checks explicitly for the 'administer nodes' permission, although I agree that the checking if $current_user can access the relevant route is better)
  3. UX consistency: setting the node access rebuild flag generates a warning message, whereas this module currently sets a status message. (It might be better if this module could check if the role changes actually require a permission rebuild rather than showing a message unconditionally, but as noted in some of the linked issues that feels like a separate and non-trivial issue)

Taking this approach would also mean the test cases added in MR !14 should just check e.g. $this->assertTrue(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions need to be rebuilt'); (following NodeAccessRebuildNodeGrantsTest.php in the core node module)

quadrexdev’s picture

Version: 2.0.x-dev » 2.1.x-dev
quadrexdev’s picture

Issue tags: +LutskGCW26
quadrexdev’s picture

Status: Needs review » Fixed

@alt36 I agree, it makes more sense, and this way we're relying on the core behavior without re-inventing the same thing in our module.

Merged in 2.1.x

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

steven jones’s picture

Status: Closed (fixed) » Needs work

I'm suggested that we revert the changes introduced in this issue over here:

#3574984-14: 2.1.0-rc2 keeps asking to rebuild permissions

Because these changes call node_access_needs_rebuild(TRUE); a lot of the time when they don't need to.

I'm going to raise a new issue about how to do the content auth grant realm properly, and then that'll mean that we can safely remove the messaging that this ticket was originally about.

  • steven jones committed 3a3dbde1 on 2.1.x
    Revert #3464095: Only show rebuild permission messages to users who can...
steven jones’s picture

Over in #3579507: Re-work the author grant realms I've got a different implementation that doesn't need to recompute the node access records any time a user's roles change.
It should be considered experimental I think, but if anyone wanted to test that out on a dev site and let me know if it works for them that would be much appreciated. I've added tests for the functionality that's changing, but you never know eh?

steven jones’s picture

Status: Needs work » Closed (won't fix)

I'm going to go ahead and mark this issue as 'won't fix' since the proper fix is coming in 3.x / #3579507: Re-work the author grant realms. We're just going to go around in circles trying to do something a bit silly if we try to resolve this message being shown incorrectly etc. The correct way forward is to get the records/grants done right, so that we don't need a message at all, because the system works.

Thanks for your help on this issue everyone, and feel free to pitch in on #3579507: Re-work the author grant realms.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.