Issue #3358586 by godotislate, kala4ek, jaswinsingh, benjifisher, creact,...

Issue #3358586 by godotislate, kala4ek, jaswinsingh, benjifisher, creact, catch, simohell, alexpott, alfthecat, aaronbauman, rupertj, poker10: RuntimeException: Adding non-existent permissions to a role is not allowed (cherry picked from commit 0348fc51)

Issue #3358586 by godotislate, kala4ek, jaswinsingh, benjifisher, creact,...
1f559ea8 · Alex Pott · b5ccec75 · 1f559ea8 · 1f559ea8
Unverified Commit 1f559ea8 authored 3 months ago by Alex Pott
--- a/core/modules/user/src/Entity/Role.php
+++ b/core/modules/user/src/Entity/Role.php
@@ -211,10 +211,15 @@ public function calculateDependencies() {
    $valid_permissions = array_intersect($this->permissions, array_keys($permission_definitions));
    $invalid_permissions = array_diff($this->permissions, $valid_permissions);
    if (!empty($invalid_permissions)) {
-      throw new \RuntimeException('Adding non-existent permissions to a role is not allowed. The incorrect permissions are "' . implode('", "', $invalid_permissions) . '".');
+      \Drupal::logger('user')->error('Non-existent permission(s) assigned to role "@label" (@id) were removed. Invalid permission(s): @permissions.', [
+        '@label' => $this->label(),
+        '@id' => $this->id(),
+        '@permissions' => implode(', ', $invalid_permissions),
+      ]);
+      $this->permissions = $valid_permissions;
    }
    foreach ($valid_permissions as $permission) {
-      // Depend on the module that is providing this permissions.
+      // Depend on the module that is providing this permission.
      $this->addDependency('module', $permission_definitions[$permission]['provider']);
      // Depend on any other dependencies defined by permissions granted to
      // this role.

--- a/core/modules/user/tests/src/Kernel/UserRoleEntityTest.php
+++ b/core/modules/user/tests/src/Kernel/UserRoleEntityTest.php
@@ -4,8 +4,11 @@

 namespace Drupal\Tests\user\Kernel;

+use Drupal\Core\DependencyInjection\ContainerBuilder;
+use Drupal\Core\Logger\RfcLogLevel;
 use Drupal\KernelTests\KernelTestBase;
 use Drupal\user\Entity\Role;
+use Symfony\Component\ErrorHandler\BufferingLogger;

 /**
 * @group user
@@ -18,6 +21,16 @@ class UserRoleEntityTest extends KernelTestBase {
   */
  protected static $modules = ['system', 'user', 'user_permissions_test'];

+  /**
+   * {@inheritdoc}
+   */
+  public function register(ContainerBuilder $container): void {
+    parent::register($container);
+    $container
+      ->register(BufferingLogger::class)
+      ->addTag('logger');
+  }
+
  public function testOrderOfPermissions(): void {
    $role = Role::create(['id' => 'test_role', 'label' => 'Test role']);
    $role->grantPermission('b')
@@ -37,17 +50,27 @@ public function testGrantingNonExistentPermission(): void {
    $role = Role::create(['id' => 'test_role', 'label' => 'Test role']);

    // A single permission that does not exist.
-    $this->expectException(\RuntimeException::class);
-    $this->expectExceptionMessage('Adding non-existent permissions to a role is not allowed. The incorrect permissions are "does not exist".');
    $role->grantPermission('does not exist')
      ->save();
+    $log_message = \Drupal::service(BufferingLogger::class)->cleanLogs()[0];
+    $this->assertSame(RfcLogLevel::ERROR, $log_message[0]);
+    $this->assertSame('Non-existent permission(s) assigned to role "@label" (@id) were removed. Invalid permission(s): @permissions.', $log_message[1]);
+    $this->assertSame('Test role', $log_message[2]['@label']);
+    $this->assertSame('test_role', $log_message[2]['@id']);
+    $this->assertSame('does not exist', $log_message[2]['@permissions']);

-    // A multiple permissions that do not exist.
-    $this->expectException(\RuntimeException::class);
-    $this->expectExceptionMessage('Adding non-existent permissions to a role is not allowed. The incorrect permissions are "does not exist, also does not exist".');
+    // Multiple permissions that do not exist.
    $role->grantPermission('does not exist')
      ->grantPermission('also does not exist')
      ->save();
+    $log_message = \Drupal::service(BufferingLogger::class)->cleanLogs()[0];
+    $this->assertSame(RfcLogLevel::ERROR, $log_message[0]);
+    $this->assertSame('Non-existent permission(s) assigned to role "@label" (@id) were removed. Invalid permission(s): @permissions.', $log_message[1]);
+    $this->assertSame('Test role', $log_message[2]['@label']);
+    $this->assertSame('test_role', $log_message[2]['@id']);
+    $this->assertSame('does not exist, also does not exist', $log_message[2]['@permissions']);
+    $permissions = $role->getPermissions();
+    $this->assertEmpty(array_intersect(['does not exist', 'also does not exist'], $permissions));
  }

  public function testPermissionRevokeAndConfigSync(): void {