Drupal 8 entity access permission problems

Sometimes even when you think you’ve given all the correct permissions to a user role Drupal still denies access to a node. This happened to me this week at work unfortunately and I spent some time digging through Drupal 8’s codebase to track down where and why it does this. So in case someone else has this problem as well, these calls in order are the interesting code parts to check out.

AccessManager::check
AccessManager::performCheck
EntityAccessCheck::access
Node::access
ContentEntityBase::access
EntityAccessControlHandler::access

In my case from the bottom of this stack turned out to be one of the modules that denied access. EntityAccessControlHandler::access method calls ModuleHandler::invokeAll to query the modules if they will allow access. Let’s see that Drupal method in version 8.3.x:

public function invokeAll($hook, array $args = []) {
$return = [];
$implementations = $this->getImplementations($hook);
foreach ($implementations as $module) {
$function = $module . ‘_’ . $hook;
$result = call_user_func_array($function, $args);
if (isset($result) && is_array($result)) {
$return = NestedArray::mergeDeep($return, $result);
}
elseif (isset($result)) {
$return[] = $result;
}
}

return $return;
}

As we can see it calls a hook, and passes the arguments that go into the method. The hooks are the following typically:

entity_access
node_access

The arguments are the following:

[ $entity, $operation, $account ]

Operations in case of access can be the following:

create
read
update
delete

Using these information we can filter the calls and list which module(s) deny access and then check out what their problem is

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: