Custom Permissions

A lightweight module that allows site administrators to create custom permissions and map them to specific Drupal routes, enabling granular access control without the need for the broad 'Administer site configuration' permission.

config_perms
10,058 sites
70
drupal.org
gui api
permissions access control administration security user roles route access configuration management
Drupal 8 Drupal 9 Drupal 10 Drupal 11

インストール

Drupal 11, 10, 9, 8 v8.x-2.3
composer require 'drupal/config_perms:8.x-2.3'

概要

Custom Permissionsは、管理インターフェースを通じてカスタム権限を作成・管理するためのシンプルかつ強力な方法を提供する軽量なDrupalモジュールです。管理者は特定のルート(管理パス)に割り当て可能な権限を定義でき、サイト設定タスクに対するきめ細かなアクセス制御が可能になります。

このモジュールは、権限名と関連するルートを保存する設定エンティティを作成することで動作します。有効にすると、Drupalの権限システムでこれらの権限を動的に生成し、指定されたルートのデフォルトのアクセスチェックを独自のアクセスチェッカーで上書きします。これにより、カスタム権限を持つユーザーは、より広範な「サイト設定の管理」権限がなくても、指定されたルートにアクセスできるようになります。

このモジュールには、4つの事前設定済み権限が同梱されています:アカウント設定の管理、日時の管理、エラーログの管理、ファイルシステムの管理です。管理者は管理インターフェースを通じて、新しい権限を簡単に追加したり、既存の権限を変更したりできます。

Features

  • 直感的な管理インターフェースを通じて、特定のDrupalルートにマッピングされたカスタム権限を作成
  • Drupalの標準権限ページに表示される権限を動的に生成
  • ルートアクセスチェックを上書きし、カスタム権限ベースのアクセス制御を使用
  • 一般的な管理タスク用の4つの事前設定済み権限を同梱
  • 改行区切りのルート名を使用して、1つの権限に複数のルートを割り当て可能
  • 権限を設定エンティティとして保存し、エクスポートやデプロイが可能
  • 保存前にルート名が存在するかを検証
  • ユーザー1は権限設定に関係なく、常に完全な管理者権限を維持

Use Cases

Delegating Administrative Tasks to Content Editors

A common use case is allowing content editors to access specific configuration pages without granting full administrative access. For example, you can create a custom permission that allows editors to manage date formats (entity.date_format.collection) so they can configure how dates appear on the site, without having access to other system settings.

Creating Role-Based Access to Reporting

Site administrators can create a custom permission to access the database logging page (dblog.overview) and assign it to a 'Site Monitor' role. This allows designated users to view error logs and site activity without having broader administrative privileges.

Separating File System Administration

For sites where specific users need to configure file upload settings, create a permission mapped to system.file_system_settings. This enables file administrators to manage upload directories and file handling without access to other system configuration.

Multi-Route Permission Bundles

Create a single permission that grants access to multiple related routes. For example, a 'Manage User Settings' permission could include both entity.user.admin_form (account settings) and user.role_admin (role management), creating a comprehensive user administration permission.

Tips

  • Route names can be found in *.routing.yml files within Drupal core and contributed modules, or by using debugging tools like Devel module
  • Remember that custom permissions completely override the default access requirements for specified routes - users with original core permissions will no longer have access unless they also have the custom permission
  • Always test custom permissions with a non-admin account to verify access is correctly restricted
  • When migrating from older versions, note that paths have been replaced with route names - use Drupal's path validator to convert paths to route names
  • Multiple routes can be assigned to a single permission by entering each route name on a separate line in the Route(s) field

Technical Details

Admin Pages 2
Custom permissions list forms /admin/people/custom-permissions/list

The main administration page for managing custom permissions. This page displays a table of all defined custom permissions and allows administrators to create, edit, enable/disable, and delete permissions. Each permission can be mapped to one or more Drupal routes.

Delete Custom perms entity /admin/structure/custom_perms_entity/{custom_perms_entity}/delete

Confirmation page for deleting a custom permission. Displays the permission name and asks for confirmation before permanent deletion.

権限 1
Administer custom permissions

Allows users to access and manage the Custom Permissions administration page. Users with this permission can create, edit, enable/disable, and delete custom permissions. This is a restricted access permission due to its security implications.

Hooks 1
config_perms_parse_path

Utility function to convert between string and array representations of routes. When given an array of routes, joins them with newlines. When given a string, splits by newlines into an array.

Security Notes 4
  • Custom permissions may have security implications as they grant access to administrative pages - carefully review which routes are being exposed
  • The module displays a warning on the permissions page indicating that custom permissions may have security implications
  • Removing a user's 'Administer site configuration' permission while relying on custom permissions ensures they can only access specifically designated administrative areas
  • User 1 always maintains full access regardless of permission settings, providing a failsafe for site recovery