Users with 'access commerce_promotion overview' permission cannot access the promotion collection page, while the analogous permissions of orders and products work.
The difference is, that the others use a View with the appropriate permission set, while the original collection routes won't check for that permission.
I'll see that the best solution in the long run would be to add/fix this directly in Entity API, where the permission providers and the the access control handlers derive from.
I'm not sure, if there are any other similar routes in Commerce concerned.
I'd strongly vote for fixing this bug in Commerce for this route specifically. Then we can still discuss, if Entity API should already ship with that default for collection routes
Comment | File | Size | Author |
---|---|---|---|
#25 | 2945286-25.patch | 4.25 KB | mglaman |
| |||
#23 | the_access_overview-2945286-23.patch | 4.22 KB | mglaman |
#21 | 2945286-21.patch | 3.12 KB | agoradesign |
| |||
#10 | fix_promotion_collection_access-2945286-10-test_only.patch | 2.55 KB | agoradesign |
Comments
Comment #2
agoradesign CreditAttribution: agoradesign commentedhere's the patch
Comment #4
agoradesign CreditAttribution: agoradesign commentednext try
Comment #5
mglamanNeeds functional test to verify bug then fix.
Comment #6
agoradesign CreditAttribution: agoradesign commentedI'll provide one
Comment #7
agoradesign CreditAttribution: agoradesign commentedComment #10
agoradesign CreditAttribution: agoradesign commentedooops... accidentially deleted a line immediately before patch creation...
Comment #11
agoradesign CreditAttribution: agoradesign commentedComment #13
agoradesign CreditAttribution: agoradesign commentedok cool.. test and patch are both working.. here's the cleaned up version having the unused imports removed
Comment #14
mglamanI'm curious why we need to manually define this route and fix the permissions.
I want to look into the route provider as well to see what is up. This permission
access commerce_promotion overview
does not exist, as far as I know. UnlessDrupal\commerce\EntityPermissionProvider
is providing it (I don't think so?)Thanks for the tests!
Comment #15
agoradesign CreditAttribution: agoradesign commentedYes it does, to be more precise: the permission provider of Entity API is providing it, but apparently not caring about its usage on collection routes... so that's why I wrote in teh summary:
So it's a bug or rather missing feature of Entity API, resulting in an annoying bug in Commerce. That's why I'm proposing this patch for Commerce. I don't think that Entity API will get this in soon
Comment #16
mglamanDiscussed in Slack: we need to open an issue in the Entity API queue about the bug and add a
# @todo Remove once :link resolved
Comment #17
mglamanThere is nothing to do in Entity API, actually. It is providing the generally accepted permission of "overview". However, Drupal core does not support that type of permission granularity.
The route itself uses the admin permission
This means the permission bug is present on any entity collection overridden by a View. So we need to provide an overridden RouterProvider or keep the manual fix in the
routing.yml
.Comment #18
mglamanDiscussed with bojanz and agoradesign. It sounds like the way forward would still be a patch in Entity API. Entity API should have a route provider which respects the overview permission. It will need to check that the entity uses the EntityPermissionProvider handler and adds the overview permission alongside the admin permission.
Comment #19
mglamanThis is blocked by #2951270: Core's generated collection routes do not support the provided "access overview" permission
Comment #20
mglamanI'm going to postpone this on the other issue. Just makes the issue queue easier to grok.
Comment #21
agoradesign CreditAttribution: agoradesign commentedNow that the issue is unblocked, here's an updated patch using the new route provider
Comment #22
bojanz CreditAttribution: bojanz at Centarro commentedWe should make the change in all of our entity types. Product attributes have the same problem (since they don't use a view), and others could easily trigger this if someone disables a shipped view.
We probably don't need a test, since we're relying on Entity API (and at one point core) to do the heavy lifting.
Comment #23
mglamanIt's only for Order and Product. Product Attributes we only have the admin permission.
Comment #25
mglamanRetry on patch.
Comment #26
bojanz CreditAttribution: bojanz at Centarro commentedWe definitely have the following permissions:
- Access the product attributes overview page
- Access the stores overview page
I'll go ahead and convert ProductAttribute and Store as well.
Comment #28
bojanz CreditAttribution: bojanz at Centarro commentedFixed Store and ProductAttribute, updated the references to the PermissionProvider while I was at it (the Commerce one has been deprecated in 2.0 but was still used).