Problem/Motivation

#2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method unveiled #2808217: To be able to view Vocabulary config entities via REST, one should not have to grant the 'administer taxonomy' permission. That's for the Taxonomy module's Vocabulary (config) entity type. A similar problem exists for the Term (content) entity type.

Proposed resolution

Add per-bundle "create" permission. The "update" and "delete" cases are less clear. But creating new terms is a very common necessity. Updating/editing and deleting terms is far less common, and is usually an administrator-only task.

Remaining tasks

TBD

User interface changes

None.

API changes

None.

Data model changes

None.

Comments

Wim Leers created an issue. See original summary.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +Novice, +php-novice, +API-First Initiative, +Needs tests

See #2808217-22: To be able to view Vocabulary config entities via REST, one should not have to grant the 'administer taxonomy' permission for an example of what the test coverage should look like.

swentel’s picture

swentel commented

I guess #1038330: Allow specific vocabulary permissions to work on vocabulary admin pages is related in a way.

dawehner’s picture

dawehner
Primary language German
commented

#1038330: Allow specific vocabulary permissions to work on vocabulary admin pages will fix indeed the underlying issue, but we maybe have to enlarge our REST test coverage for that.

Yasiru Nilan’s picture

Yasiru Nilan commented

I'm actually new to drupal development. Where actually this change is required?
A file may be.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: To be able to create/update/delete Term entities via REST, one should not have to grant the 'administer taxonomy' permission » [PP-1] To be able to create/update/delete Term entities via REST, one should not have to grant the 'administer taxonomy' permission
Status: Active » Postponed
Issue tags: -Novice, -php-novice

#1038330: Allow specific vocabulary permissions to work on vocabulary admin pages hasn't been touched since September 2012. That's approaching its fifth birthday. I don't want to wait for that.

I'd actually say this is probably blocked on #2808217: To be able to view Vocabulary config entities via REST, one should not have to grant the 'administer taxonomy' permission to set a precedent.

This is definitely not novice in hindsight. Sorry, @Yasiru Nilan!

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented

I posted a detailed overview of all related issues that we have around this topic in #1848686-179: Add a dedicated permission to access the term overview page (without 'administer taxonomy' permission) (#179 if the link does not work).

That issue adds a create permission and also updates the term REST coverage for terms to use those permission. We could either remove the REST changes from there and do it here or close this as a duplicate of that issue. Leaving at postponed for now.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: [PP-1] To be able to create/update/delete Term entities via REST, one should not have to grant the 'administer taxonomy' permission » To be able to create/update/delete Term entities via REST, one should not have to grant the 'administer taxonomy' permission
Status: Postponed » Closed (duplicate)

Add per-bundle "create" permission. The "update" and "delete" cases are less clear. But creating new terms is a very common necessity. Updating/editing and deleting terms is far less common, and is usually an administrator-only task.

This is exactly what #1848686: Add a dedicated permission to access the term overview page (without 'administer taxonomy' permission) did! It did so for all cases: "create", "update" and "delete"! You can see the consequences for the Taxonomy Term REST test coverage in the relevant hunk from that issue:

diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php
index 44a4e83033..97599774b3 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php
@@ -41,16 +41,23 @@ protected function setUpAuthorization($method) {
       case 'GET':
         $this->grantPermissionsToTestedRole(['access content']);
         break;
+
       case 'POST':
+        $this->grantPermissionsToTestedRole(['create terms in camelids']);
+        break;
+
       case 'PATCH':
-      case 'DELETE':
         // Grant the 'create url aliases' permission to test the case when
         // the path field is accessible, see
         // \Drupal\Tests\rest\Functional\EntityResource\Node\NodeResourceTestBase
         // for a negative test.
-        // @todo Update once https://www.drupal.org/node/2824408 lands.
-        $this->grantPermissionsToTestedRole(['administer taxonomy', 'create url aliases']);
+        $this->grantPermissionsToTestedRole(['edit terms in camelids', 'create url aliases']);
         break;
+
+      case 'DELETE':
+        $this->grantPermissionsToTestedRole(['delete terms in camelids']);
+        break;
+
     }
   }

🎉