Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
We want to be more specific when serializing access denied exception. In particular we want the resource identifier object to be present in the error. That resource identifier object should point to the entity that caused the access denied exception.
Proposed resolution
Introduce an EntityAccessDeniedHttpException in the same fashion that we did for UnprocessableHttpEntityException.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#15 | 2844130--interdiff--11-13.txt | 5.65 KB | e0ipso |
#13 | 2844130--custom-403-exception--13.patch | 19.42 KB | e0ipso |
| |||
#10 | 2844130-10.patch | 16.63 KB | dawehner |
| |||
#8 | interdiff.txt | 4.77 KB | dawehner |
#8 | 2844130-8.patch | 12.5 KB | dawehner |
Comments
Comment #2
dawehnerHere is a rough start. Do you believe we should support potential multiple sources of errors on the longrun? I guess for now, as we throw exceptions, we can't really.
Comment #3
e0ipsoThanks @dawehner! This is definitely the path we want to move this forward.
Some comments.
The
new
statements do not match the class constructor arguments.There seems to be quite some duplication around this code.
What if we had a static method in
EntityAccessDeniedHttpException
that did all this?Something like:
In that scenario we could turn
addError
into a protected method to reduce API surface.Copy & Pasta
This approach seems a bit brittle. Why not an array of errors keyed by entity ID.
That way the arrays cannot get out of sync with each other.
What's the gain on returning self instead of not returning?
Comment #4
dawehnerI thought about that ... there is one small problem, the backtrace would be a bit more confusing than on a normal exception. The backtrace will be created where the new call is done. Do we care much about that?
Well, theoretically we could chain call, but I couldn't care less :)
Comment #5
dawehnerComment #8
dawehnerOne remaining question is: Do we really want to pretend we can support multiple exception. To be honest I'm not convinced by that.
Comment #10
dawehnerI removed the "support" for multiple exceptions now. The test coverage got also improved.
Comment #11
e0ipsoThis should be enforced by
protected $supportedInterfaceOrClass = EntityAccessDeniedHttpException::class;
. However I'm good keeping this in case anyone changes the applies logic when extending this.Assigning to myself to add a test for a collection that includes 403. I also did a needed reroll.
Comment #12
e0ipsoComment #13
e0ipsoChanges:
Comment #14
e0ipsoUgh! I sent the interdiff with the wrong extension. Now the testbot is going to choke. Is there any way to cancel a queued test?
Comment #15
e0ipsoComment #16
e0ipsoComment #18
dawehnerThank you @e0ipso!
Comment #20
Wim LeersThis didn't follow the JSON API spec in one area, being fixed in #2943176: Spec Compliance: when error object 'id' key exists, it contains the individual resource URI, instead of "a unique identifier for this particular occurrence of the problem".