[SUPPORT] Add permission per enabled resource [#2810371]

If some of you are wondering how to implement permissions per exposed resource, this is how I approached this.
Ideally there should be a permission per resource per request method, but in my use case this was not necessary.

1) Alter the plugin definitions by implementing

/**
 * Implements hook_jsonapi_resource_info_alter().
 */
function jsonapi_jsonapi_resource_info_alter(&$plugins) {
  $enabled_entity_types = [
    'node',
  ];

  // Only enable resources definied in above array
  // AND override permissions.
  foreach (array_keys($plugins) as $plugin_id) {
    $plugins[$plugin_id]['enabled'] = in_array($plugins[$plugin_id]['entityType'], $enabled_entity_types);
    $plugins[$plugin_id]['permission'] = 'access resource ' . $plugins[$plugin_id]['type'];
  }
}

2) in module.permissions.yml add

permission_callbacks:
  - Drupal\my_module\Permissions::permissions

3) Add a new class in my_module/src:
https://www.drupal.org/files/issues/permissions_0.zip

Comment	File	Size	Author
#6	add_permission_per_enabled_resouce-2810371-6.patch	2.97 KB	robin.ingelbrecht
#6
	permissions.zip	626 bytes	robin.ingelbrecht

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

3 October 2016 at 10:29

robin.ingelbrecht created an issue. See original summary.

Comment #2

e0ipso

Catalan

Can Picafort

CreditAttribution: e0ipso as a volunteer and at Lullabot commented 4 October 2016 at 12:16

Title:

Add permission per enabled resource

» [SUPPORT] Add permission per enabled resource

Comment #3

e0ipso

Catalan

Can Picafort

CreditAttribution: e0ipso as a volunteer and at Lullabot commented 4 October 2016 at 12:17

@robin.ingelbrecht can you update a patch instead?

Thanks!

Comment #4

robin.ingelbrecht CreditAttribution: robin.ingelbrecht commented 4 October 2016 at 17:03

You mean a patch/fix on the json api module? Or just this example code in a patch file?

Comment #5

e0ipso

Catalan

Can Picafort

CreditAttribution: e0ipso as a volunteer and at Lullabot commented 6 October 2016 at 07:58

A patch that can be applied to the module using GIT. See https://www.drupal.org/patch for more help.

Comment #6

robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commented 6 October 2016 at 09:18

File	Size
add_permission_per_enabled_resouce-2810371-6.patch	2.97 KB

Created a patch to expose a permission per enabled resource

Comment #7

e0ipso

Catalan

Can Picafort

CreditAttribution: e0ipso as a volunteer and at Lullabot commented 6 October 2016 at 10:08

Status:

Active

» Needs work

This patch does not include a solution to the problem where for a given user, in an accessible resource entity there is a relationship to an inaccessible resource. In that scenario, with this patch, the related resource would leak through the includes.

This is a hard problem that is being considered in #2807185: [BUGFIX] Handle relationships when target resource is not accessible.

I'm not sure how valuable is to have access control over the resources themselves. If a user has access to an entity, there should not be a problem for them to access that same entity in the JSON API format (after all they can get the info anyways in a different format). If you need access restrictions, I'd suggest to restrict the access at the entity level.

Comment #8

robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commented 6 October 2016 at 10:26

You're right, haven't thought about that. We should recursively check all included entities and apply those access rights as well.

If a user has access to an entity, there should not be a problem for them to access that same entity in the JSON API format

Well then that is another bug, because when I have the "view my custom entity" permission off,
I still get the entity as a response, this should return an "access denied"...

The reason why I wanted to implement these permissions is because of REST UI. REST UI exposes, apart from the D8 core permission view, edit and delete, it's own permissions. In my opinion, this is a good approach. This way you can allow anonymous users to access your entity via HTML, but only let authenticated users access them via the REST API.

Comment #9

e0ipso

Catalan

Can Picafort

CreditAttribution: e0ipso as a volunteer and at Lullabot commented 6 October 2016 at 10:50

Well then that is another bug, because when I have the "view my custom entity" permission off, I still get the entity as a response, this should return an "access denied"...

Can you double check that with the latest version? If that is still true, please submit a separated bug report. Thanks!

This way you can allow anonymous users to access your entity via HTML, but only let authenticated users access them via the REST API.

In my opinion access is related to the user and the entity, not the presentation format.

Comment #10

robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commented 6 October 2016 at 11:24

Thought is was a good idea to do thing the D8 core way, but in some way I can relate to your argument. So you can close this issue if this won't be implemented.

I will double check the "view my entity" permission and open a new issue if needed.

Comment #11

robin.ingelbrecht CreditAttribution: robin.ingelbrecht at EntityOne commented 14 October 2016 at 12:53

REST core changed its approach on permissions in Drupal 8.2. Only resources which aren't Entity Reourses have their own permission. Other wise the permissions of the entity are used. So this issue is kinda obsolete because JSONAPI and REST core have the same approach concerning permissions now.