>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3584713. --> Reported by: [rajab natshah](https://www.drupal.org/user/1414312) Related to !911 >>> <h3 id="overview">Overview</h3> <p>Drupal Canvas treats every <code>page_region</code> config entity the same for access. In practice, sites want to let content roles (content admin, site admin, etc.) edit the <em>content</em> region of a Canvas page, but keep global regions such as the <strong>header</strong> and <strong>footer</strong> editable only by trusted roles (site admin and above).</p> <p>Today the only way to achieve that is to grant/deny the broad <code>administer page template</code> permission, which also controls many unrelated capabilities, or to write a custom module that implements <code>hook_entity_access()</code> for <code>page_region</code>. That is a very common requirement for multi-role editorial sites and it should be supported out of the box.</p> <h3 id="proposed-resolution">Proposed resolution</h3> <p>Introduce a single new permission in the Canvas module:</p> <ul> <li><strong>Machine name:</strong> <code>edit canvas global regions</code></li> <li><strong>Label:</strong> Allow Edit Global Regions</li> <li><strong>Description:</strong> Edit global Drupal Canvas page regions<br> (such as the header and footer) of the default active theme.</li> <li><strong>Restrict access:</strong> <code>true</code> (security-sensitive).</li> </ul> <p>Enforce it via <code>hook_entity_access()</code> on the <code>page_region</code> entity type: any region whose id is not <code>{theme}.content</code> is treated as a global region, and <code>update</code>/<code>edit</code>/<code>delete</code> operations return <code>AccessResult::forbidden()</code> unless the account has the new permission. The <code>content</code> region is unaffected, so existing content roles keep editing page content as before.</p> <h3 id="ui-changes">User interface changes</h3> <p>A new row appears on <em>People &raquo; Permissions</em> under the Canvas module, labelled <em>Allow Edit Global Regions</em>, with the standard "restrict access" warning.</p> <h3>API changes</h3> <p>None. Adds one new permission and one new <code>hook_entity_access()</code> implementation; no existing behavior changes for roles already granted the new permission or for editing the <code>content</code> region.</p> <h3>Data model changes</h3> <p>None.</p>