Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If some of you are wondering how to implement permissions per exposed resource, this is how I approached this.
Ideally there should be a permission per resource per request method, but in my use case this was not necessary.
1) Alter the plugin definitions by implementing
/**
* Implements hook_jsonapi_resource_info_alter().
*/
function jsonapi_jsonapi_resource_info_alter(&$plugins) {
$enabled_entity_types = [
'node',
];
// Only enable resources definied in above array
// AND override permissions.
foreach (array_keys($plugins) as $plugin_id) {
$plugins[$plugin_id]['enabled'] = in_array($plugins[$plugin_id]['entityType'], $enabled_entity_types);
$plugins[$plugin_id]['permission'] = 'access resource ' . $plugins[$plugin_id]['type'];
}
}
2) in module.permissions.yml add
permission_callbacks:
- Drupal\my_module\Permissions::permissions
3) Add a new class in my_module/src:
https://www.drupal.org/files/issues/permissions_0.zip
Comment | File | Size | Author |
---|---|---|---|
#6 | add_permission_per_enabled_resouce-2810371-6.patch | 2.97 KB | robin.ingelbrecht |
Comments
Comment #2
e0ipsoComment #3
e0ipso@robin.ingelbrecht can you update a patch instead?
Thanks!
Comment #4
robin.ingelbrecht CreditAttribution: robin.ingelbrecht commentedYou mean a patch/fix on the json api module? Or just this example code in a patch file?
Comment #5
e0ipsoA patch that can be applied to the module using GIT. See https://www.drupal.org/patch for more help.
Comment #6
robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commentedCreated a patch to expose a permission per enabled resource
Comment #7
e0ipsoThis patch does not include a solution to the problem where for a given user, in an accessible resource entity there is a relationship to an inaccessible resource. In that scenario, with this patch, the related resource would leak through the includes.
This is a hard problem that is being considered in #2807185: [BUGFIX] Handle relationships when target resource is not accessible.
I'm not sure how valuable is to have access control over the resources themselves. If a user has access to an entity, there should not be a problem for them to access that same entity in the JSON API format (after all they can get the info anyways in a different format). If you need access restrictions, I'd suggest to restrict the access at the entity level.
Comment #8
robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commentedYou're right, haven't thought about that. We should recursively check all included entities and apply those access rights as well.
Well then that is another bug, because when I have the "view my custom entity" permission off,
I still get the entity as a response, this should return an "access denied"...
The reason why I wanted to implement these permissions is because of REST UI. REST UI exposes, apart from the D8 core permission view, edit and delete, it's own permissions. In my opinion, this is a good approach. This way you can allow anonymous users to access your entity via HTML, but only let authenticated users access them via the REST API.
Comment #9
e0ipsoCan you double check that with the latest version? If that is still true, please submit a separated bug report. Thanks!
In my opinion access is related to the user and the entity, not the presentation format.
Comment #10
robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commentedThought is was a good idea to do thing the D8 core way, but in some way I can relate to your argument. So you can close this issue if this won't be implemented.
I will double check the "view my entity" permission and open a new issue if needed.
Comment #11
robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commentedREST core changed its approach on permissions in Drupal 8.2. Only resources which aren't Entity Reourses have their own permission. Other wise the permissions of the entity are used. So this issue is kinda obsolete because JSONAPI and REST core have the same approach concerning permissions now.
Comment #12
e0ipsoThanks for closing the loop here.
Comment #13
chrishk2015 CreditAttribution: chrishk2015 commentedCan anyone point me in the right direction for how to implement this with the latest version of the module, it's exactly what I need!
Comment #14
e0ipsoYou should check JSON:API Extras, it may give you what you need.