0

I have an Ember application on the frontend consuming Drupal's JSONAPI.

Drupal has the commerce module installed.

The ember application is requesting all product_types, and needs to display information about the product types.

The product type has fields on it such as description variationType and label, but as an anonymous user, I cannot see all these attributes, only label.

It seems like this is an issue with the way The commerce module checks permissions.

if (!$access->isAllowed()) {
      // If this is the default revision or the entity is not revisionable, then
      // check access to the entity label. Revision support is all or nothing.
      if (!$entity->getEntityType()->isRevisionable() || $entity->isDefaultRevision()) {
        $label_access = $entity->access('view label', NULL, TRUE);
        $entity->addCacheableDependency($label_access);
        if ($label_access->isAllowed()) {
          return LabelOnlyResourceObject::createFromEntity($resource_type, $entity);

In the wild -- https://github.com/Free5Dev/drupalMagellium/blob/f5b0344a528a1df788c94e7558a6826dc9a2f736/core/modules/jsonapi/src/Access/EntityAccessChecker.php#L181

Here jsonapi decides to render a limited version of the entity.

It seems like this entity needs to be made revisionable in order to pass the above check and be fully rendered.

https://github.com/drupalcommerce/commerce/blob/8.x-2.x/modules/product/src/Entity/ProductType.php

How do I make the ProductType entity revisionable?

I've found this https://www.drupal.org/docs/8/api/entity-api/making-an-entity-revisionable but it seems to be limited in it's explanation.

joshua.thomas.bird
  • 676
  • 1
  • 8
  • 22
  • Here's a link to the particular record I'm interested in. Notice that only the "label" attribute is wiewable as an anonymous user. https://ihmm-drupal.reginault.com/jsonapi/commerce_product_type/commerce_product_type – joshua.thomas.bird Aug 08 '19 at 13:33

1 Answers1

0

Drupal's JSON:API module does not bring it's own authorization logic. It respects and uses all security measures that Drupal has for that data. You find more details on that one in Security considerations chapter of the module docs.

Drupal Commerce does not provide it's own access management either. Atleast that is what I get from their docs.

You should check your field permissions. Maybe they are customized using Field Permissions module? You may want to Audit Entity Access and Field Access as recommended in docs of JSON:API module.

jelhan
  • 6,149
  • 1
  • 19
  • 35