Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Updated: Comment #15
Problem/Motivation
#1984528: Follow-up: Allow for more robust access checking introduced specific constants for access checkers, primarily to help differentiate between NULL and FALSE.
Most access checkers do not use these yet.
Proposed resolution
Convert all remaining access checkers to use the the new constants
Remaining tasks
N/A
User interface changes
N/A
API changes
N/A
Related Issues
Comment | File | Size | Author |
---|---|---|---|
#24 | 2063405-access-checkers.patch | 12.98 KB | Crell |
#24 | interdiff.txt | 519 bytes | Crell |
#21 | access-2063405-21.patch | 12.98 KB | dawehner |
#21 | interdiff.txt | 716 bytes | dawehner |
#14 | access-2063405-14.patch | 12.91 KB | dawehner |
Comments
Comment #1
dawehnerLet's see how many are problematic here.
Comment #2
Wim LeersIn a lot of places in that patch, where
FALSE
used to be returned, you're now returningstatic::DENY
, but shouldn't that always bestatic::KILL
?Comment #3
dawehnerWell, in all of that places I thought that actually static::DENY makes more sense. You wan't to be able to use the access checker with other ones in an ANY access mode.
The only place where I active chosed to use static::KILL
was the csrf token access checker.
Comment #4
tim.plunkettNo, because more than half the time, the FALSE was wrong.
Comment #6
damiankloip CreditAttribution: damiankloip commentedYep that patch looks good to me; That's totally right, You can't have a decent access system relying on TRUE/FALSE alone. In most cases why should only one access check be able to block access to a route before everyone else has had a chance?
After the tone of the comments in #1984528: Follow-up: Allow for more robust access checking, you're a good man Daniel.
Comment #7
Wim Leers#3: that makes sense :)
#6: I apologize if the tone was perceived as harsh. I definitely was very frustrated. But having re-read my comments on that issue, I am reading almost solely observations and questions. Little emotion.
Reroll to fix exceptions, I ran
FloodTest
locally and it is now fully green, so hopefully the other tests will be too.Comment #9
Wim LeersThe remaining test failures in
Drupal\rest\test\CreateTest
look legitimate.Comment #10
dawehnerlinking because of pure lazyness: #2063401: Replace the default _access_checks(access mode) with ALL instead of ANY
Comment #11
dawehnerRemoved the change in the CRSFAccessChecker, as this potentially is intended ...
Comment #12
dawehner#11: access-2063405-11.patch queued for re-testing.
Comment #14
dawehnerJust a rerole.
Comment #15
andypostThere's no issue summary at all!
Comment #16
tim.plunkettIt's almost as easy to write one as it is to add the tag.
Comment #17
dawehnertim.plunkett++
Comment #18
andypostSo looking at the patch suppose that only checkers implementing
StaticAccessCheckInterface
should be updated?Please clarify this
Comment #19
dawehnerNo, all of them. The access method is part of AccessInterface, which is the base interface for both AccessCheckInterface and StaticAccessCheckInterface.
Comment #20
Crell CreditAttribution: Crell commentedThis looks like a pre-existing logic error. If you have 3 checkers on a route, set to ALL, and one of them is CSRF, then you can never ever access the route. This needs to return ALLOW or KILL, but not DENY.
Otherwise this looks good to me.
Comment #21
dawehnerGood point ... I totally think that ALLOW should be returned. In the case that CSRF is the only access checker, NULL works as TRUE in the any case, and you expect it to work like TRUE in the ALL case.
Comment #23
dawehnerWhat about just converting it for now and figure out the details later?
Comment #24
Crell CreditAttribution: Crell commentedI think all you need is to use the right constant name. :-)
Comment #26
Crell CreditAttribution: Crell commented#24: 2063405-access-checkers.patch queued for re-testing.
Comment #28
tim.plunkett#24: 2063405-access-checkers.patch queued for re-testing.
Comment #29
dawehneroooh!
Comment #30
dawehner#24: 2063405-access-checkers.patch queued for re-testing.
Comment #31
Wim LeersI grepped the code base for all occurrences of the string "
AccessCheckInterface
", opened the files if they were actual access check classes, and confirmed that they are usingstatic::(ALLOW|DENY|KILL)
everywhere, without exception.Combined with the fact that tests pass: RTBC.
Comment #32
alexpottCommitted c5ef1c9 and pushed to 8.x. Thanks!
Comment #33.0
(not verified) CreditAttribution: commentedupdate