Matt GlamanMar 10
The nightmare of permissions and OAuth scopes in Drupal #drupal #api https://mglaman.dev/blog/nightmare-permissions-and-oauth-scopes-drupal?utm_campaign=blog&utm_source=fediverse&utm_medium=social&utm_content=toot
The nightmare of permissions and OAuth scopes in Drupal

The Nightmare of Permissions and OAuth Scopes in DrupalDrupal's role-based access control is one of its strengths. Permissions and roles are well-understood, and the system is mature. But the moment you step outside the standard cookie-based session — say, into OAuth with the authorization code flow — you hit a wall that the core permission model never anticipated.

mglaman.dev
Show threadSascha GrossenbacherMar 10
@mglaman Acktuallly... only bypass node access is the super permission. It was split off from the administer permission which only handles some weird leftovers like access to status and promote fields
Show threadSascha Grossenbacher
@mglaman see https://www.drupal.org/project/drupal/issues/3552027
Mar 10 at 1:51pmWeb
Show threadMatt GlamanMar 10
@berdir we did this on purpose?!
Show threadSascha GrossenbacherMar 10
@mglaman did what? We split bypass and access overview from the general admin permission on purpose yes. The mess that the admin permission now is just a byproduct which is why we want to remove it completely
Show threadSascha GrossenbacherMar 10
@mglaman my point is that doing what you do with the admin permission is wrong, you should do it with bypass and only that. The admin permission does _not_ allow you to edit any node type. Although I don't quite get the problem you're trying to solve
Show threadMatt GlamanMar 10
@berdir this seems so wrong, so Entity API and it's structure of admin permission and then granular CRUD is wrong? Why a bypass permission. The administer permission should allow all CRUD
Show threadSascha GrossenbacherMar 10
@mglaman bypass is essentially the admin permission for nodes, just differently named because it was split. Administer nodes is just leftovers that are very very slowly split into dedicated permissions such as the recently added publish content permission
Show threadMatt GlamanMar 10
@berdir so it's mostly naming, which feels really weird (like bypass should have been legacy and moving to administer) But I get it now