Problem/Motivation
While creating reports for some of the users on one of the sites I'm currently working on, I realized that they should be reachable from the Reports menu, not the Content menu, which is where we've been putting our custom reports up to this point.
When I masqueraded as one of the users (a non-admin user) who would access these reports, I found that some dblog reports were still visible in the menu. This led me to find that the dblog reports' permissions are based on the 'access site reports' permission, which is the same permission used to grant access to the Reports menu item (specifically the system.admin_reports route in web/core/modules/system/system.routing.yml).
There should be a permission specific to the dblog module that grants access to dblog-related reports to prevent users who shouldn't see these reports from being able to see them.
Proposed resolution
I propose the following changes:
- Add an 'access dblog reports' permission
- Change the permission requirement on all dblog routes from 'access site reports' to 'access dblog reports'
Remaining tasks
Write tests to ensure the 'access dblog reports' permission works as intended.
User interface changes
Users with the 'access site reports' permission but without the 'access dblog reports' permission will no longer be able to access dblog reports. Users who should be able to access these reports will need the 'access dblog reports' permission added to at least one of their assigned roles.
UPDATE!: In the most recent push to the branch I added an update hook that will add the 'access dblog reports' permission to any roles that have the 'access site reports' permission. This way users won't lose access to the reports.
Introduced terminology
None.
API changes
None.
Data model changes
None.
Release notes snippet
- Added the 'access dblog reports' permission to control access to dblog routes.
- Updated dblog routes to use the 'access dblog reports' permission.