Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
We need to reach a decision about how to handle field permissions in the Fields in Core patch. One important place this will be needed is when we try to port Profile fields to the new system, since some of them will need permission control.
Proposed resolution
The decision has been postponed.
Remaining tasks
We need to reach a decision at some point. Preferably, this would be soon enough so we can get it into d8.
User interface changes
A UI for field permissions would need to be added.
API changes
None.
Comments
Comment #1
bjaspan CreditAttribution: bjaspan commentedWe didn't *completely* punt; we have this in field.module:
I haven't looked at D6 field access functionality but I'm sure there is more to it. :-) As a trivial detail, we should de-$op-ify.
Comment #2
yched CreditAttribution: yched commentedWhat we have in there is small but consistent and should be working pretty fine - we'd need to write tests :-)
What is not possible right now is stuff like 'limited visibility' that profile.module offers : view my own, edit my own...
That would imply passing the $object as a param to the access hooks - this also implies that the module that implements this '$op my own' stuff knows how to recognize who's the 'owner' of the object : assume $object->uid ?
Comment #3
bjaspan CreditAttribution: bjaspan commentedIf Field API, or hooks it calls, need access to owner information, ISTM we should extend field_attach_extract_ids() to return it.
Perhaps that would be false generality. The "owner" would be assumed to be a Drupal user id, so it would pretty much always be $object->uid. However, since we already have field_attach_extract_ids() it would seem odd not to use it.
We should put uid in the list of return values from field_attach_extract_ids() based on its frequency of use relative to the other returned values. I'd either put it last or just before 'cacheable'.
Comment #4
yched CreditAttribution: yched commentedAgreed on field_attach_extract_ids().
Sidenote : shouldn't we move field_attach_extract_ids() to return a structured, keyed array of ['key' => value] pairs ?.
I'm not sure I understand whether you want an 'owner key' => 'uid' entry in hook_fieldable_info(), though.
'id key', 'revision key', etc... are precisely a workaround for the current lack of consistency between $node->nid, $user->uid, $term->tid, ... Ideally, we should (some day... ?) move to unified, predictable keys : $obj_type . '_id', etc... If there's *one* property where we can assume consistency ("owner is $object->uid"), then we should be happy :-)
Ok, that's nitpicking. 'owner id' should be fine..
I'm not sure about de-opifying field_access(). The $op in field_access($op) is not like the one in pre-D7's nodeapi($op). It's the name of the grant you're checking. Most of the time, the same mechanism will be used to retrieve the grant, so it's not bound to end up in separate switch branches that are better off as separate functions with their specific sets of arguments. node_access($op) has not been de-opified in D7. Unless it does, I think we're more consistent where we are now.
Comment #5
bjaspan CreditAttribution: bjaspan commentedI could go either way on assuming $obj->uid vs. having extract_ids() do it. I agree it would be great if we had consistent names for primary id properties across objects.
The reason extract_ids() returns a numerically-indexed array and not a hashtable is so this is possible:
Otherwise, our code will look like:
which I think is uglier. Not a deal breaker, though.
Unfortunately, the list() syntax does not work with hashtables:
Comment #6
yoroy CreditAttribution: yoroy commentedTagging to collect some permissions related stuff I see bubbling up
Comment #7
swentel CreditAttribution: swentel commentedMarked #501404: Field Permissions in Core as a duplicate of this.
Comment #8
andypostSo what is a state of the issue?
https://drupal.org/node/1928882 New entity field access control and hooks
https://drupal.org/node/1903124 Entity types now have a generic way to deal with permission granularity
It looks like we have no UI just now
Comment #9
AndyLicht CreditAttribution: AndyLicht commentedHi,
when could this module be used in Drupal 8? It would be a great featue in D8! I am not good enough to develop this modul.
Thanks for every answear.
Andy
Comment #10
MickL CreditAttribution: MickL commented+1
Comment #11
andypostlet's postpone that and properly title
Comment #12
toamit CreditAttribution: toamit commentedIt will be nice to have field permit UI included in core ASAP
Comment #13
toamit CreditAttribution: toamit commentedAny interest in making this happen now that D8 is out ? Please consider updating this to a major issue.
Comment #14
areke CreditAttribution: areke commentedComment #16
AlexBorsody CreditAttribution: AlexBorsody commentedComment #17
ExTexan CreditAttribution: ExTexan commented+1 on this. I feel it should be (should have been) part of core anyway, not handled by a contrib module (that is not D8-ready).
Comment #18
ybabel CreditAttribution: ybabel commented+1
Comment #19
yoroy CreditAttribution: yoroy at Roy Scholten commentedIf you need this, look into how you can help make it happen. "+1" voting alone does not make things happen.
Instead: Come up with a plan: what needs to happen, what needs to happen first? Can you or your company commit resources to this effort? Would you be able to sponsor a developer who does have time and expertise? etc.
Comment #23
anavarre