Problem/Motivation

Migrating from wse_preview does not result in the same access logic post-migration.

wse_preview's entity.workspace.preview_link_form route definition used a _permission check using an "OR" syntax (+) that included the following permissions:

  • manage workspace previews
  • view any workspace
  • edit any workspace
  • administer workspaces

However, this module now uses the WorkspacePreviewLink's admin_permission attribute parameter for access control. Meaning link generation privileges are granted exclusively to users with the manage workspace previews permission.

That means users who could previously generate preview links aren't able to any longer.

Proposed resolution

Add the following migration to the module's installation hook:

$roles = Role::loadMultiple();
$adminPermission = 'manage workspace previews';
foreach ($roles as $role) {
  if ($role->hasPermission($adminPermission)) {
    continue;
  }
  $permissionGranted = FALSE;
  // These permissions are copied from the wse_preview module's
  // "entity.workspace.preview_link_form" route definition, which defined a
  // "_permission" check using an "OR" syntax that included the following
  // permissions.
  $permissions = [
    'view any workspace',
    'edit any workspace',
    'administer workspaces',
  ];
  foreach ($permissions as $permission) {
    if ($role->hasPermission($permission)) {
      $role->grantPermission($adminPermission);
      $permissionGranted = TRUE;
    }
  }
  if ($permissionGranted) {
    $role->save();
  }
}
Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

gabesullice created an issue. See original summary.

gabesullice’s picture

Issue summary: View changes
gabesullice’s picture

Issue summary: View changes

amateescu made their first commit to this issue’s fork.

amateescu’s picture

Status: Active » Needs review

An alternative approach that I'd prefer is to restore the permissions used by wse_preview. Opened a MR for that.

  • amateescu committed 18379375 on 1.0.x
    fix: #3598840 wse_preview migration does not reproduce the same access...
amateescu’s picture

Status: Needs review » Fixed

And merged, thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

amateescu’s picture

Status: Fixed » Needs review

Though about this some more and decided to walk back on the initial MR. The OR'd permissions were basically working against the workspace.view entity access, and keeping the access gate shorter ("workspace.view" AND "manage workspace previews") makes more sense, even if it's a bit of extra work for people migrating from wse_preview.

gabesullice’s picture

The follow up MR makes good sense and I think it's especially wise to add the restrict access: true option to the admin permission.

  • amateescu committed abf8493d on 1.0.x
    fix: #3598840 followup: Tighten the access handling for being able to...
amateescu’s picture

Status: Needs review » Fixed

Merged the followup MR, thanks for reviewing!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.