Creating permissions in .permissions.ymlfor Drupal 8 , 9 , 10 , and 11

Home » Module Development » Creating permissions in .permissions.yml
Last updated :  
8.x , 9.x , 10.x , 11.x

Permissions in Drupal are a powerful mechanism for controlling who can access and perform actions within your site. They form the foundation of role-based access control, providing a secure way to manage user capabilities across your Drupal application. This lesson focuses on how to define and manage custom permissions using the .permissions.yml file in your modules, a vital step in safeguarding functionality and operations.

Understanding Permissions in Drupal

Permissions in Drupal are typically string values that are matched against user roles. Each role can be assigned permissions, allowing users with that role to access certain features or perform specific tasks on the site. By creating custom permissions, you can tailor your module's functionality and data access to fit the exact needs of your Drupal application and its users.

Setting Up .permissions.yml

To include permissions in your custom module, you will need to define them in a .permissions.yml file. This file should be placed in the root directory of your module. If you have a module named "hello_world", your file will be hello_world.permissions.yml. Let's explore the structure and key elements of this file.

Basic Permissions Structure

At its core, each permission in the .permissions.yml file consists of a machine name (used in code) and human-readable title and description (used in the admin UI):

access hello_world content:
  title: 'Access Hello World content'
  description: 'Grants access to view content provided by the Hello World module.'
  • Machine Name: access hello_world content is the unique identifier used to reference the permission internally within your module.
  • Title: A user-friendly label for the permission, displayed in the Permissions UI on the admin interface.
  • Description: Provides additional context about what the permission allows, assisting administrators in making informed decisions.

Such a definition permits fine-tuned control over module components, enhancing security and operational coherence in multi-role environments.

Implementing Permissions in Your Module

Once permissions are defined, you can integrate them into your module to secure routes, alter displays, or manage access to specific functionality. Here’s how you can embed permissions within a routing configuration:

Example Route Configuration

Referring back to our "Hello World" module, consider the following route definition:

hello_world.content:
  path: '/hello'
  defaults:
    _controller: '\Drupal\hello_world\Controller\HelloWorldController::content'
    _title: 'Hello World'
  requirements:
    _permission: 'access hello_world content'
  • Requirements Key: Specifies the _permission that users must have to access the route.

With this configuration, only users with the "Access Hello World content" permission can view content delivered on this route, effectively managing user access.

Assigning Permissions to Roles

Permissions can be assigned to user roles in Drupal via the admin interface:

  1. Navigate to People > Permissions in the admin menu.
  2. Find the permission you defined, such as "Access Hello World content".
  3. Check the boxes next to the roles you wish to grant the permission to, such as "Authenticated User" or "Administrator".
  4. Save changes to apply the permission assignments across the site.

This process ensures the roles have appropriate access permissions according to your module's functionality and site policy.

Best Practices for Defining Permissions

  • Be Specific: Design permissions that reflect specific actions or access points within your application to allow precise control.
  • Avoid Overlapping: Each permission should serve a unique purpose, minimizing redundancy and confusion.
  • Use Clear Titles/Descriptions: Ensure titles and descriptions are straightforward and informative to aid administrators in configuration.
  • Mind Security: Only grant permissions to users who genuinely require them, following the principle of least privilege.

Incorporating these best practices ensures that your permissions are both effective in their roles and simple for administrators to manage.

Testing Permissions

Verifying permissions is vital to ensure they function as intended:

  1. Check Roles: Log in with different user roles to test access to the routes or functionality protected by your permissions.
  2. Adjust Permissions: Use the Permissions admin page to toggle permissions and observe changes in access.
  3. Review Logs: Analyze Drupal logs for permission errors or unauthorized access attempts to improve security measures.

Regular testing and auditing maintain the security and functionality integrity of your application.

Conclusion

Creating permissions in the .permissions.yml file enables precise access control in your Drupal modules, supporting complex security environments with ease. This lesson provided a comprehensive overview of defining and applying permissions, empowering you to manage who can access different parts of your module effectively.

In the upcoming lesson, we will explore Generating permissions programmatically with hook_permission(), offering a more dynamic and flexible approach to handling permissions in your Drupal site. Stay engaged for further insights!