DispatchPolicy - Actively report any upgrade problems with hook_civicrm_permission #19217
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
(Standard links)
|
|
@totten just wondering if this should go against the RC given the other upgrade changes we have merged in there? |
…rm_permission
Overview
--------
This is a preventive/diagnostic revision which would bring to light potential
problems with firing `cleanupPermissions()`/`hook_civicrm_permission` at the
wrong moment during an upgrade.
Before
------
If `cleanupPermissions()` (and its `hook_civicrm_permission`) are fired too
early during an upgrade, then the cleanup runs quietly but omits important
results (because the hook is dropped). On several UF's, the
`cleanupPermissions()` **revokes access** for any omitted permissions. The
sysadmin would have manually re-grant access.
After
-----
If `cleanupPermissions()` (and its `hook_civicrm_permission`) are fired too
early during an upgrade, then it raises an error during the upgrade.
Surely, it's better to report the error rather than silently drop the data.
Comments
--------
* This revision is preventive/diagnostic/speculative. It's based on rumor that
somebody had a problem with permissions in an upgrade. I don't actually have
steps to reproduce a probelmatic case.
* To see this preventive mechanism in action, I provoked a trivial violation:
* Setup a DB with 5.32
* Checkout the code for 5.34.
* Add a local hack https://gist.github.com/totten/e1448b343f94ff9c3d971402a1b3db3d
which has the effect of running `cleanupPermissions()` prematurely.
* Observe: `cv upgrade:db` fails (cv v0.3.5+)
* It's tempting to think of `hook_civicrm_permission` as returning a static list of
strings -- in which case, there's no real harm to firing during the defensive
phase. The problem is that `hook_civicrm_permission` can also be used for
dynamic scenarios. (The power of hooks!) That's useful for any site-building
extension (e.g. bespoke forms/views/APIs/dashlets) where you generate new
permissions based on site configuration. That will depend on the
correct-functioning of the extension+configuration... which cannot be
ensured during the defensive upgrade-phase... and which creates a parallel
choice between incorrect-results (data-loss) or fatal-error. This is the
real reason why one shouldn't run `cleanupPermissions()` during the defensive
phase. (Of course, we should run it... during the liberal phase...)
620d02f to
a9033ca
Compare
|
@seamuslee001 Yeah, 5.33 is OK by me because it's related to some other RC fixes, but TBH this part is more a preventive thing than a critical fix, so it's grey-area. I've rebased so that the PR can be switched freely to either |
|
I think 5.33 is the one given the other improvements that have happened there MOP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This is a preventive/diagnostic revision which would bring to light potential problems with firing
cleanupPermissions()/hook_civicrm_permissionat the wrong moment during an upgrade.Before
If
cleanupPermissions()(and itshook_civicrm_permission) are fired too early during an upgrade, then the cleanup runs quietly but omits important results (because the hook is dropped). On several UF's, thecleanupPermissions()revokes access for any omitted permissions. The sysadmin would have manually re-grant access.After
If
cleanupPermissions()(and itshook_civicrm_permission) are fired too early during an upgrade, then it raises an error.Surely, it's better to report the error rather than silently drop the data.
Comments
This revision is preventive/diagnostic/speculative. It's based on rumor that somebody had a problem with permissions in an upgrade. I don't actually have steps to reproduce a probelmatic case.
To see this preventive mechanism in action, I provoked a trivial violation:
which has the effect of running
cleanupPermissions()prematurely.cv upgrade:dbfails (cv v0.3.5+)It's tempting to think of
hook_civicrm_permissionas returning a static list of strings -- in which case, there's no real harm to firing during the defensive phase. The problem is thathook_civicrm_permissioncan also be used for dynamic scenarios. (The power of hooks!) That's useful for any site-building extension (e.g. bespoke forms/views/APIs/dashlets) where you generate new permissions based on site configuration. That will depend on thecorrect-functioning of the extension+configuration... which cannot be ensured during the defensive upgrade-phase... and which creates a parallel choice between incorrect-results (data-loss) or fatal-error. This is the real reason why one shouldn't run
cleanupPermissions()during the defensive phase. (Of course, we should run it... during the liberal phase...)