Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 299618

Implement admin role as a flag on the role storage, simplify permissions page, remove user_modules_installed

$
0
0

Problem/Motivation

Core has an admin role, which has by design all permissions. To achieve this user.module traditionally assigned all new permissions to the admin role.

This approach is flawed in several ways:

a) Drupal now has dynamic permissions, which are not rebuild, when e.g. a new filter format is imported via config - unless it is installed as a module. That means the admin role. That is a bug, because module installation is not the only thing that can define new permissions.
b) The permissions page allows removing admin permissions of admin role. This is confusing, because when the next module is installed, those permissions are back.
c) user_modules_installed() needs to re-build the router, because some permissions use $entity->uri(), which brings the installer memory wise over what we want.

Proposed resolution

- Create a boolean flag in the Role entity ->isAdminRole()
- Always pass all permissions check for that role.
- Remove user_modules_installed()
- Profit!

Remaining tasks

- Create patch

User interface changes

- (possibly) remove admin role from permissions page

API changes

- Introduce ->isAdminRole() on the Role Entity interface

Original report

dawehner:

Could we mark roles as being admin roles and instead of assigning all permissions to it automatically, adapt
\Drupal\user\RoleStorage::isPermissionInRoles to check for a boolean flag on the admin role entity?

Berdir:

I've thought of that today as well, thought we could check the admin role setting, but a flag on the role itself could indeed be an advantage because then we have nothing additional that we need to load.

Could even help the permissions page because then we could opt out of displaying checkboxes for that role completeley. Sounds like being able to remove certain permissions from the admin role is no longer an option anyway, if user_modules_installed() now works they way it does.

Beta phase evaluation

Issue priorityMajor because user_modules_installed() assigning all permissions is problematic for memory requirements we want to met.
Prioritized changesThe main goal is consistency, ensuring the admin role can perform its function and performance by removing the need for user_modules_installed, which calls the router rebuild, which saves 2.5 seconds and around 10 MB.
DisruptionNo disruption, admin role is an internal feature and after module installation all permissions are back anyway to it.

Viewing all articles
Browse latest Browse all 299618

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>