Problem/Motivation
Migrating from wse_preview does not result in the same access logic post-migration.
wse_preview's entity.workspace.preview_link_form route definition used a _permission check using an "OR" syntax (+) that included the following permissions:
manage workspace previewsview any workspaceedit any workspaceadminister workspaces
However, this module now uses the WorkspacePreviewLink's admin_permission attribute parameter for access control. Meaning link generation privileges are granted exclusively to users with the manage workspace previews permission.
That means users who could previously generate preview links aren't able to any longer.
Proposed resolution
Add the following migration to the module's installation hook:
$roles = Role::loadMultiple();
$adminPermission = 'manage workspace previews';
foreach ($roles as $role) {
if ($role->hasPermission($adminPermission)) {
continue;
}
$permissionGranted = FALSE;
// These permissions are copied from the wse_preview module's
// "entity.workspace.preview_link_form" route definition, which defined a
// "_permission" check using an "OR" syntax that included the following
// permissions.
$permissions = [
'view any workspace',
'edit any workspace',
'administer workspaces',
];
foreach ($permissions as $permission) {
if ($role->hasPermission($permission)) {
$role->grantPermission($adminPermission);
$permissionGranted = TRUE;
}
}
if ($permissionGranted) {
$role->save();
}
}
Issue fork workspace_preview-3598840
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
gabesulliceComment #3
gabesulliceComment #6
amateescu commentedAn alternative approach that I'd prefer is to restore the permissions used by wse_preview. Opened a MR for that.
Comment #8
amateescu commentedAnd merged, thanks!
Comment #11
amateescu commentedThough about this some more and decided to walk back on the initial MR. The OR'd permissions were basically working against the
workspace.viewentity access, and keeping the access gate shorter ("workspace.view" AND "manage workspace previews") makes more sense, even if it's a bit of extra work for people migrating fromwse_preview.Comment #12
gabesulliceThe follow up MR makes good sense and I think it's especially wise to add the
restrict access: trueoption to the admin permission.Comment #14
amateescu commentedMerged the followup MR, thanks for reviewing!