Generate permissions for all entity operations

[pfrenssen]

Currently we only generate permissions for the standard CRUD operations 'create', 'update', 'view' and 'delete' in PermissionManager::generateCrudPermissionList(). Modules can change the available operations for different entity types using hook_entity_permission() and hook_entity_permission_alter(). This means that the full 4 CRUD operations might not be available, or new operations might be added at will.

Some examples are the Content Translation module which adds a 'translate' operation, and the OG Menu module which adds an 'add link' operation.

We currently use the pattern of providing two permissions for each operation, depending on whether or not the user owns the entity which is being operated upon (e.g. 'delete all entities' vs 'delete own entities'). It would be good to continue this pattern for all operations for now, even though there are cases where this doesn't make sense.

We will also need to rename the existing permissions to accommodate the new flexibility. It will need to become something akin to perform the $operation operation on $entity_type_id entities of type $bundle_id.

Since these auto-generated permissions and their labels are quite wordy and not human-friendly it would also be great to provide an alter hook so the automatically generated permissions can be tweaked, and perhaps even a 'provider hook' so modules can opt to provide their own set of permissions instead of the auto generated ones.

[pfrenssen]

I researched this today and this doesn't seem to be possible in core today. Our best bet will be to use the Entity Operations module once it is ported to Drupal 8.

For more information, see https://www.drupal.org/node/2744683#comment-11274521

[amitaibu]

Not a big fan of a hard dependency. So we could add permissions for core
entities, and only if that module exists leverage it. Sounds right?
On Jun 8, 2016 7:05 PM, "Pieter Frenssen" [email protected] wrote:

I researched this today and this doesn't seem to be possible in core
today. Our best bet will be to use the Entity Operations module once it is
ported to Drupal 8.

For more information, see
https://www.drupal.org/node/2744683#comment-11274521

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#222 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AAHrC_zKOwkJ1_3Uq-L9KTZ5fqD0eEQzks5qJuhHgaJpZM4IvvaU
.

[pfrenssen]

Yes that sounds like a good plan. For the moment I am going to put an alter hook in, so any module can supply support for their own entity operations. My immediate need for this is the OG Menu module, which has a special 'add menu item' operation.

[pfrenssen]

Note that this is a long term plan, this issue is not actionable today. It can only be worked on as soon as support for formalized access control on entity operations is added to Drupal core, or provided by a contrib module such as Entity Operations.

[MPParsley]

Drupal core 9.3 now provides a generic access API for node and media revisions.
See https://www.drupal.org/project/drupal/issues/3043321

We should add revision permissions, see Gizra#736.