restrict access to a JSON:API feed when a channel restricts access

Ben Stallingsrequested to merge
issue/entity_share-3562549:3562549-authorized-users-access into 4.0.x

Summary of Changes

  1. Channel Form (ChannelForm.php) Added a checkbox in the Access section: "Also restrict JSON:API access" Added save logic to persist the restrict_jsonapi_access field value
  2. Channel Entity (Channel.php) Added restrict_jsonapi_access to the config_export array Added protected property $restrict_jsonapi_access with proper documentation
  3. Configuration Schema (channel.schema.yml) Added schema definition for the restrict_jsonapi_access boolean field
  4. Access Control Implementation (entity_share_server.module) Implemented hook_entity_access() that: Only applies to GET/view operations on JSON:API requests Finds all channels matching the entity type/bundle Separates channels with restriction enabled vs disabled If any channel has restriction enabled, checks if user is authorized Grants access if user is authorized in ANY restricting channel Denies access with proper cache metadata if user is not authorized Properly implements the requirement that "if any channel restricts a feed, that feed should be restricted even if another channel does not restrict the same feed"
  5. Update Hook (entity_share_server.post_update.php) Added entity_share_server_post_update_set_default_restrict_jsonapi_access() Sets default value to FALSE for backward compatibility Existing sites need to explicitly opt-in to the new security feature
  6. Functional Tests (JsonApiAccessTest.php) Comprehensive test coverage including: JSON:API access restriction when enabled JSON:API access NOT restricted when disabled Role-based restrictions Permission-based restrictions Multiple channels with mixed restriction settings (ensures restricting channel takes priority) Key Features Opt-in design: Admins must explicitly check the box to enable JSON:API restrictions GET-only: Only restricts view/GET operations as requested Restrictive priority: If ANY channel restricts access, users must be authorized in at least one restricting channel Backward compatible: Existing channels default to FALSE (no restriction) Proper caching: Includes appropriate cache contexts and dependencies Comprehensive tests: Tests all authorization methods and edge cases The GitLab CI will run phpcs, phpcbf, and PHPStan checks. Let me know what feedback you get and I can help address any issues!

Merge request reports