Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Please refer the problem/motivation section of #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
Proposed resolution
Write EntityResourceTestBase subclass for the DateFormat entity.
Remaining tasks
References
1. Follow-up of #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
2. Subtask of #2824572: Write EntityResourceTestBase subclasses for every other entity type.
Comment | File | Size | Author |
---|---|---|---|
#27 | entityresource_provide-2843772-27.patch | 15.53 KB | Wim Leers |
#10 | interdiff-2843772-8-10.txt | 622 bytes | shadcn |
#10 | entityresource_provide-2843772-10.patch | 8.71 KB | shadcn |
#8 | interdiff-2843772-4-8.txt | 2.12 KB | shadcn |
#8 | entityresource_provide-2843772-8.patch | 8.89 KB | shadcn |
Comments
Comment #3
shadcn CreditAttribution: shadcn at Chapter Three commentedI was looking at
\Drupal\system\DateFormatAccessControlHandler::checkAccess
and noticed we have the following code which makes DateFormat entities always accessible.The following test in
\Drupal\Tests\rest\Functional\EntityResource\EntityResourceTestBase::testGet
will probably fail:Should we patch
EntityResourceTestBase.php
for entities which are always 200?Comment #4
shadcn CreditAttribution: shadcn at Chapter Three commentedHere's a patch to confirm this.
Comment #5
shadcn CreditAttribution: shadcn at Chapter Three commentedHere's the exposed JSON data:
Comment #7
Wim Leers#3: Interesting. I think we can use the same approach as #2808217-27: To be able to view Vocabulary config entities via REST, one should not have to grant the 'administer taxonomy' permission:
Using
array_diff()
would be more elegant.Comment #8
shadcn CreditAttribution: shadcn at Chapter Three commentedOK let's see what fails here.
Comment #9
Wim LeersThis matches the parent implementation. So now we can simply delete this method altogether :)
After that's removed, this is RTBC!
Comment #10
shadcn CreditAttribution: shadcn at Chapter Three commentedThanks. Updated.
Comment #12
Wim LeersCI is crashing again.
Re-testing.
Comment #14
Wim LeersComment #15
alexpottThis is a bit weird. The examples given to justify this change are all content entities - and so 'access content' makes some sense for them - but not here imo. Why are we not just delegating to the parent in the case of view?
Comment #16
Wim LeersBecause
\Drupal\Core\Entity\EntityAccessControlHandler::checkAccess()
does:And the
admin_permission
forDateFormat
is'administer site configuration'
. So delegating to the parent would require that far too broad permission just to viewdate_format
config entities.This is blocked on #2870018: Should the 'access content' permission be used to control access to viewing configuration entities via REST reaching consensus.
Comment #17
Wim LeersConsensus was achieved! Quoting #2870018-35: Should the 'access content' permission be used to control access to viewing configuration entities via REST:
Comment #18
tstoecklerIs this not an API change? Can you elaborate on the consequences of this?
Comment #19
Wim LeersIt is tightening security, for something that should never have provided access blindly to everybody.
At the same time, it is extremely unlikely to affect anybody, because nothing is actually checking "view" access to DateFormat config entities today. REST is the first scenario where that is actually being checked, and so we are improving the access control handler here.
I share your concern about a theoretical BC break. I raised the same in the aforementioned issue. But dawehner and others convinced me that this is the safer, correct way to deal with this.
Comment #20
BerdirSome things are checking view access, for example entity reference fields as mentioned in the other issue. I'm not sure if there is a site out there with a date format entity reference, possibly not, but there are a number of config entities with perfectly valid use cases or where we're even doing it by default, like NodeType.
As I kind of suggested, if we do this, we should consider to at least keep the previous access for the view label operation.
Also, what's interesting is that viewing doesn't really mean the same for REST as it does for other kinds of viewing. It's perfectly valid to "view" a block in a traditional way, meaning, passing it through BlockViewBuilder. but viewing for rest is printing out its raw configuration, which is a very different thing.
For content entities, we have the field access as an additional layer of security. I'm pretty sure that many sites are accidently exposing a lot of internal data/fields through REST because usually those kind of fields are hidden by simply not printing them in the node template/view display configuration. But there we can at least claim that we *have* an API to solve that problem :)
Comment #21
Wim LeersSo you're saying that if this existed:
then we must at least do this:
?
Yes, this is a huge design flaw in the current system. But fortunately, the problem is limited to pretty much just block config entities. Block config entities really describe how a block should be rendered. I already opened #2820315: Blocks' 'view' operation is interpreted as "render on page" instead of "read this config entity" for this more than half a year ago.
Comment #22
catch#20/#21 looks like it needs more discussion to me.
Comment #23
Wim LeersI migrated/quoted #20 + #21 to/in #2870018-43: Should the 'access content' permission be used to control access to viewing configuration entities via REST. I agree.
These are now the changes to the access control handler:
Comment #24
Wim LeersIn #2870018-47: Should the 'access content' permission be used to control access to viewing configuration entities via REST, Berdir pointed to https://www.drupal.org/node/2661092. Fixed.
Comment #25
Wim LeersAnd here is comprehensive test coverage for
DateFormatAccessControlHandler
, per @Berdir's request at #2870018-47: Should the 'access content' permission be used to control access to viewing configuration entities via REST.Comment #27
Wim LeersUgh, c/p remnant, which I didn't notice because I ran the test with the PHPUnit test runner instead of
run-tests.sh
…Comment #28
Wim LeersSimilar test coverage added to #2843783-14: EntityResource: Provide comprehensive test coverage for Menu entity.
Comment #29
tedbowLooks good to me! RTBC!
Comment #30
catchCommitted 3a6bbc8 and pushed to 8.4.x. Thanks!
Comment #32
Wim LeersThanks!
Comment #33
kristiaanvandeneyndeThis patch introduced some tests which do explicit checking for UID 1. Can we please stop doing that? I'm trying to remove the special casing for UID 1 from core in #540008: Add a container parameter that can remove the special behavior of UID#1.
That said, we should avoid having tests rely on arcane voodoo (in this case UID 1) altogether. What does UID 1 tell a non-Drupal person who is looking at your tests to understand your code? Absolutely nothing.
Don't get me wrong, it's not my intention to discredit the work that has been done here. I'm just trying to raise awareness about tests needing to be explicit about their requirements. That my comment also shamelessly draws attention to the UID 1 issue is a nice side-effect :)
Comment #34
Wim LeersI understand you want to draw attention to that issue. I agree and applaud with the rationale/effort behind that issue.
But please look at the patch more closely, because:
This issue is actually making things easier for #540008: Add a container parameter that can remove the special behavior of UID#1. It's NOT adding test coverage tied to user 1. It's doing that in addition to an "admin" user that has the necessary permissions explicitly assigned. So, in #540008, you will be able to remove those two last use cases and simplify the setup!
Comment #35
kristiaanvandeneyndeAfter having read the tests I was planning to do exactly that :)
My first instinct when seeing these new tests break the UID 1 issue was "damage control" as I noticed both came from an issue that is part of a larger whole. My bad for trying to act quickly. I'll simplify the tests for the UID 1 issue.
Thanks Wim!
Comment #36
Wim Leersnp :)