Problem/Motivation
It would be ok to allow users to view their own roles, through the UI at their user edit form, or through JSON:API / GraphQL. Viewing other roles shouldn't be possible as it would be a relevant information disclosure.
Steps to reproduce
- Install a fresh Drupal site and enable JSON:API module
- Add a new non-admin user with the "Content editor" role
- Login in as the new user and visit their user form. The user cannot view its own role
- Go to
/jsonapi/user/userand check that the relationshiprolesis not present for the current user object in the collection.
Proposed resolution
Add a new permission "View own account details" to let the user view, but don't edit, their own roles.
Remaining tasks
Add the new permission and the AccessControlHandler changes. DoneLet the user view their own roles at the user edit form. DoneFunctional test the user edit form. DoneFunctional test the JSON:API. Done
User interface changes
Now the user can view, but don't edit, its own roles, and they cannot view other roles, from their user edit form, if they have the new "View own account details" permission.
Introduced terminology
None
API changes
Now, the 'roles' relationship is returned for JSON:API own user--user object if the user has the "View own account details" permission.
Data model changes
None
Release notes snippet
A new permission "View own account details" was added to let the user view, but not edit, their granted roles.
Original report by @joaogarin
Hello,
I am using graphql with Drupal, but I think this issue might be a generic drupal core issue so opening it up in here. Currently when accessing the user roles via an endpoint (graphql, json api or REST I think ) the user's roles is always set to access denied and return empty if the user is not an administrator.
It might be a similar situation to https://www.drupal.org/project/drupal/issues/3026264 (?). With some pointers I would be able to get a patch started here and kick off the conversation.
I guess it would be ok to allow users to access their own roles by default, maybe accessing other user's roles could already be classified as an access violation of some sort.
Looking forward for some feedback! thanks! ) Cheers