Problem/Motivation
Follow up to #2899553: Architectural review of the Workflows module (documentation cleanups).
The checkWorkflowAccess() method in WorkflowTypeInterface is not really used by WorkflowTypeBase, then ContentModeration only uses it for the 'view' operation with the extra permissions 'view content moderation'. I'm not sure we need this level of granularity.
Proposed resolution
- Remove checkWorkflowAccess() from WorkflowTypeInterface, WorkflowTypeBase, and ContentModeration.
- Remove 'view content moderation' permission from content_moderation.permissions.yml, ModerationRevisionRevertTest, and ModerationStateAccessTest.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#24 | 2900320-24.patch | 17.22 KB | timmillwood |
#24 | interdiff-2900320-24.txt | 2.13 KB | timmillwood |
#19 | 2900320-17.patch | 15.94 KB | Wim Leers |
#16 | 2900320-16.patch | 15.45 KB | Sam152 |
| |||
#16 | interdiff.txt | 8.76 KB | Sam152 |
Comments
Comment #2
timmillwoodHere's an initial patch for this.
Comment #3
Wim LeersThis is an API change, and therefore must happen before beta, otherwise these can only be
@deprecated
.Should this be tagged
?Comment #4
Wim LeersThis also addresses #2899553-3: Architectural review of the Workflows module (documentation cleanups)'s
\Drupal\workflows\WorkflowAccessControlHandler
.3 remark — yay!Once there's a change record in place, this is RTBC as far as I'm concerned.
Comment #5
timmillwoodAdded Change Record - https://www.drupal.org/node/2900445
RTBC'ing because @Wim Leers mentioned it's RTBC once the change record is in place.
Comment #6
Wim LeersThanks for the CR.
I know I said this would be RTBC, but:
These represent massive changes in access checking though. Are we sure we're not regressing? This is why I raised in #2899553-3: Architectural review of the Workflows module (documentation cleanups) that it's frightening that there's zero test coverage for
WorkflowAccessControlHandlerTest
.For peace of mind, we'd probably want those tests to be added here, in this issue.
Comment #7
timmillwoodI wouldn't say it's a massive change, it's just removing the call out to
checkWorkflowAccess()
, and changing it to return early rather than using the$admin_access
variable.Although, I agree we do need better access test coverage.
Comment #8
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedThis issue seems to be at odds with #2897148: Remove @internal from workflowHasData/workflowStateHasData and use those methods for access control and configuration validation.. Unless we moved the approach in that issue to a
hook_entity_access()
?Big +1 to removing the "view content moderation" permission though.
Comment #9
timmillwoodGood point @Sam152, moving back to "Needs review" for further discussion.
Comment #10
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedNW for the tests based on #6.
I'd say it's fine to proceed with this approach. We have hooks for altering access, which could be more understandable from a reviewers perspective ie, hooks are a pattern that contribute an existing access result vs the plugin method which doesn't come with any such prior understanding. #2897148 can implement the hook directly if consensus is reached about the outcome of the issue.
Marking as critical because of the api change.
Comment #11
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedAdding a test for this, I think this covers most of the scenarios in the access controller.
Am I correct in assuming we'll need a functional test for asserting the cacheability metadata? From what I can tell, they only kick in once rendering a response and don't act directly at an API level.
Comment #12
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedComment #14
Wim Leers@timmilwood++
@Sam152++
Thankfully you're not correct :) See
\Drupal\Tests\system\Kernel\DateFormatAccessControlHandlerTest
+\Drupal\Tests\system\Kernel\MenuAccessControlHandlerTest
for examples.Tagging major because this reduces the possibility that access checking will be misunderstood, wrongly extended or altered, which means it's a security improvement!
Reviewed the #11 interdiff. This is looking very very very very good already! 😀 With minor additional work, this will be perfect.
Why both of these cache tags? Why not only
workflow_type_plugins
orconfig:core.extension
?It's my comment at #2899553-3: Architectural review of the Workflows module (documentation cleanups) point 5 for the access control handler that spawned this.
In fact, using
config:core.extension
is definitely wrong upon closer inspection, becauseclass WorkflowTypeManager extends DefaultPluginManager
and that inherits\Drupal\Core\Plugin\DefaultPluginManager::clearCachedDefinitions()
which automatically performs tag-based invalidation, and that is guaranteed to be called automatically during module (un)installation thanks to\Drupal\Core\Plugin\PluginManagerPass
, which\Drupal\Core\Extension\ModuleInstaller::(un)install()
relies on when it does:In fact, you don't need to specify a cache tag there at all, unless you have other things you want to be able to rely on it.
This clears all plugin manager caches rather than just the one for our plugin manager.
👍
The asserting of TRUE or FALSE should be changed to asserting the actual return value.
Again, see
\Drupal\Tests\system\Kernel\MenuAccessControlHandlerTest::testAccess()
for an example.Comment #15
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedHaving a look at the feedback, thanks for the review.
Comment #16
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commented1. Our access check relies on it, so we need to keep it right?
2. Fixed.
3. :)
4. Done.
Comment #17
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedWhoops, removed unused class.
Comment #19
Wim LeersReview:
Nit: Unused, can be deleted.
Supernit: s/Set/Sets/
Nit:
{@inheritdoc}
Nit: could be typehinted to
\Drupal\workflows\WorkflowAccessControlHandler
This is just duplicating the previous assertion, likely a c/p remnant.
The name here is misleading, because this is testing more than only admin user test cases.
This is really just testing another operation, so should be merged with the above test function.
Furthermore, this is only testing as the admin user, not as the non-admin user.
Fixed all my remarks myself. The bulk of the work (the critical portion) was done by @Sam152, I just refactored it slightly to be more future-proof.
RTBC!
Comment #20
timmillwood+1 RTBC!
Comment #21
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedRolling in ::testStateDeleteAccess into the data providers looks awesome. +1 RTBC.
Comment #22
Wim LeersLike I said, you did the bulk of the work, the critical portion. I just had to shuffle things around. I've had others (I think dawehner?) show me this is the better way, just spreading the knowledge! :)
Comment #23
larowlanSo this permission was originally added in #2708941: Allow roles to view but not administer moderation state back in the workbench moderation days.
It was needed because if you added the 'state' to a view, you couldn't see it unless you had permission to administer the content moderation state entities.
Now that state is a string field on the ContentModerationState entity, this isn't needed.
If someone needs to implement plugin-level access controls, they can always switch out the access handler. But removing it here gives us less code to maintain and handles the 80% case.
There are a few unused use statements now - can we fix those as follows - thanks
Comment #24
timmillwoodRemoving the unused use statements, I think we're ready to go on these. We can always add the access checks back to the plugins if we find a use case, but at the moment I can't see one. Also not sure to alter it you need to switch out the access handler, it should be possible to fire a hook.
Comment #27
larowlanCommitted 10a1e15 and pushed to 8.5.x.
Cherry-picked as c3dda3d and pushed to 8.4.x.
Comment #28
Wim Leers🎉
Comment #30
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedLooks like the change record was never published for this. Have just updated it now.