Problem/Motivation
Core has an admin role, which has by design all permissions. To achieve this user.module traditionally assigned all new permissions to the admin role.
This approach is flawed in several ways:
a) Drupal now has dynamic permissions, which are not rebuild, when e.g. a new filter format is imported via config - unless it is installed as a module. That means the admin role. That is a bug, because module installation is not the only thing that can define new permissions.
b) The permissions page allows removing admin permissions of admin role. This is confusing, because when the next module is installed, those permissions are back.
c) user_modules_installed() needs to re-build the router, because some permissions use $entity->uri(), which brings the installer memory wise over what we want.
Proposed resolution
- Create a boolean flag in the Role entity ->isAdminRole()
- Always pass all permissions check for that role.
- Remove user_modules_installed()
- Profit!
Remaining tasks
- Create patch
User interface changes
- (possibly) remove admin role from permissions page
API changes
- Introduce ->isAdminRole() on the Role Entity interface
Original report
dawehner:
Could we mark roles as being admin roles and instead of assigning all permissions to it automatically, adapt
\Drupal\user\RoleStorage::isPermissionInRoles to check for a boolean flag on the admin role entity?
Berdir:
I've thought of that today as well, thought we could check the admin role setting, but a flag on the role itself could indeed be an advantage because then we have nothing additional that we need to load.
Could even help the permissions page because then we could opt out of displaying checkboxes for that role completeley. Sounds like being able to remove certain permissions from the admin role is no longer an option anyway, if user_modules_installed() now works they way it does.
Beta phase evaluation
Issue priority | Major because user_modules_installed() assigning all permissions is problematic for memory requirements we want to met. |
---|---|
Prioritized changes | The main goal is consistency, ensuring the admin role can perform its function and performance by removing the need for user_modules_installed, which calls the router rebuild, which saves 2.5 seconds and around 10 MB. |
Disruption | No disruption, admin role is an internal feature and after module installation all permissions are back anyway to it. |