Extend the entity access system with a new grants API (and deprecate the query-alter-based node grants API)
BoF Vienna 2017
nielsvandermolen
Agenda
# config/install/system.access_policy.author_is_user_1337.yml��label: 'Author is user 1337'�description: 'Only user 1337 can edit their own nodes and terms'�entity_types: [node, term]�operations: [update]
policy_set: [core]
performance: fast / priority: 1 ��# SIMPLY AN EXAMPLE, BUT YOU GET THE IDEA�contexts:� current_user:� plugin: current_user��conditions:� entity_id_match:� entity: current_user� id: 1337
negate: false� entity_owner:� entity: entity # You get a context called 'entity' for free� owner: current_user
Policy set core
Policy set group
AND
Policy set custom 1
AND
Policy A
Policy B
Policy C
OR
OR
Policy K
Policy L
Policy C
OR
OR
Policy X
Policy Y
Policy Z
OR
OR
Core | Group | Mature content (custom 1) | Special event |
User can see published content | Node is posted in a group and user is member of the group | Users that are 18+ can see nodes labeled as mature | User can see a special event node if he is at a specific location after 12:00 |
User has the bypass access permission | User has the bypass access permission | | User has the bypass access permission |
| | | |
Policy set
Policies
Example for view nodes operation
Implementation phase