Starting this forum topic to document a recent chat and continue the discussion here…
Tl;dr: The entity permissions for assets/logs/etc are not related to the owner field, despite having names like edit own asset.
Here is a copy of the chat:
Fri, Aug 22, 2025, 04:44:31 - RUros: And I have also made another observation, where i cannot say what is wrong: I created new user let's say "user 1", where i want to set permision so it can view all assets, but only edit those who are owned by him (user 1). So I set new role with checked permissions. But what happens: If asset is created by other users (like admin user) and ownership in meta is set to "user 1", then "user 1" can view asset but cannot edit it. But if asset is created by "user 1" then "user 1" can also edit it.
Fri, Aug 22, 2025, 04:47:38 - RUros: My understanding is that parameter "Owners" in Meta tab defines this. But like seems this not work in that way. Did I miss something ?
Fri, Aug 22, 2025, 04:50:27 - RUros: So conclusion: if asset is created by antoher user, then "user 1" cannot edit it, although owner is set to "user 1" in meta tab of this asset.
Fri, Aug 22, 2025, 05:22:16 - symbioquine: What groups are you assigning to your users? i.e. `farm_manager`, `farm_viewer`, etc?
Fri, Aug 22, 2025, 05:22:34 - symbioquine: https://farmos.org/guide/people/
Fri, Aug 22, 2025, 06:46:35 - RUros: for "user 1" assigned role is Viewer (managed) and additional role which i created where i am allowing certain assets to do: create asset, update own asset, delete own asset.
Fri, Aug 22, 2025, 06:50:26 - symbioquine: I think you'd have to write some custom code to control whether users with your group can edit assets where they are the owner. I don't think that comes out-of-the-box with farmOS...
Fri, Aug 22, 2025, 06:51:59 - mstenta: RUros: yes unfortunately the "edit own asset" permission is not related to the "owner" field :-/
Fri, Aug 22, 2025, 06:52:23 - mstenta: The former is a standard Drupal perm related to the original author of the entity
Fri, Aug 22, 2025, 06:52:42 - mstenta: The latter is a field specific to farmOS
Fri, Aug 22, 2025, 06:53:04 - mstenta: We need to disambiguate that and add more perms for the owner field I agree
Fri, Aug 22, 2025, 06:54:17 - mstenta: Perhaps it would be worth changing "edit own asset" to "edit authored asset" or something like that
Fri, Aug 22, 2025, 06:54:45 - RUros: ok, thank you for explanation. Yes, maybe it is a little confusing 🙈
Fri, Aug 22, 2025, 06:55:06 - mstenta: Yes it is
Fri, Aug 22, 2025, 06:59:17 - RUros: So my "user 1" must be the creator of an asset to be able to edit it, right ? What can I do if already have assets, but were not created by him ?
Fri, Aug 22, 2025, 07:11:42 - symbioquine: Some interesting references. still trying to wrap my head around this...
A: https://github.com/farmOS/farmOS/blob/f8eccce1e4f90f853029366dd0aa1eaa30446f16/modules/core/role/src/ManagedRolePermissionsManager.php#L234-L236
B: https://github.com/farmOS/farmOS/blob/f8eccce1e4f90f853029366dd0aa1eaa30446f16/modules/core/asset/src/Entity/Asset.php#L190
C: https://github.com/farmOS/farmOS/blob/f8eccce1e4f90f853029366dd0aa1eaa30446f16/modules/core/owner/farm_owner.module#L32
D: https://git.drupalcode.org/project/drupal/-/blob/8.9.x/core/modules/user/src/EntityOwnerTrait.php
Fri, Aug 22, 2025, 07:12:59 - symbioquine: So I think I'm understanding that the comment in **A** is referring to the "owner" base field added at **B** (by the code in **D**), not the "owner" field added in **C**...
Fri, Aug 22, 2025, 07:13:34 - symbioquine: What I don't see is why those can both be added with apparently the same name 🧐
Fri, Aug 22, 2025, 07:14:14 - symbioquine: (Maybe a dumb question, I might just need more tea to see it... 😅)
Fri, Aug 22, 2025, 07:42:28 - mstenta: Not a dumb question... it's super confusing
Fri, Aug 22, 2025, 07:42:39 - mstenta: There are two base fields: `uid` and `owner`
Fri, Aug 22, 2025, 07:43:41 - mstenta: `uid` is the "owner" from Drupal's perspective, aka author, `owner` is the one we added to represent "asset/log ownership"
Fri, Aug 22, 2025, 07:43:44 - symbioquine: I see the `uid` one here: https://github.com/farmOS/farmOS/blob/f8eccce1e4f90f853029366dd0aa1eaa30446f16/modules/core/asset/src/Entity/Asset.php#L212-L235
Fri, Aug 22, 2025, 07:44:18 - mstenta: Here is the link: https://github.com/farmOS/farmOS/blob/f8eccce1e4f90f853029366dd0aa1eaa30446f16/modules/core/asset/src/Entity/Asset.php#L44
Fri, Aug 22, 2025, 07:45:13 - symbioquine: Ah, so that creates the mapping that **D** is pulling from when it creates the "owner" (author) base field.
Fri, Aug 22, 2025, 07:45:21 - mstenta: Yep
Fri, Aug 22, 2025, 07:45:49 - mstenta: If we take away the `owner` field that farmOS added, we would still be left with A, B, and D
Fri, Aug 22, 2025, 07:45:55 - symbioquine: Whereas **C** doesn't do any mapping and actually creates a field with the key of literally `owner`
Fri, Aug 22, 2025, 07:46:04 - mstenta: Exactly
Fri, Aug 22, 2025, 07:46:18 - symbioquine: 🤦♂️
Fri, Aug 22, 2025, 07:46:41 - mstenta: We chose to call `owner` "Owner" because it makes more sense from a user's perspective
Fri, Aug 22, 2025, 07:46:49 - symbioquine: Thanks for walking me through that.
Fri, Aug 22, 2025, 07:46:51 - mstenta: IMO Drupal's "owner" should be "author"
Fri, Aug 22, 2025, 07:47:53 - mstenta: All of this is hidden in the code, and the only place it really reveals itself to site admins/users is in the permissions
Fri, Aug 22, 2025, 07:48:02 - mstenta: (and the ambiguity of the word "own")
Fri, Aug 22, 2025, 07:48:16 - mstenta: In the permissions, "own" means "author"
Fri, Aug 22, 2025, 07:49:01 - mstenta: We could try to disambiguate by changing the permission names
Fri, Aug 22, 2025, 07:49:23 - mstenta: But it would probably mean overriding/replacing a bunch of core code
Fri, Aug 22, 2025, 07:51:06 - mstenta: And it would be a breaking change
Fri, Aug 22, 2025, 07:51:53 - mstenta: I would love to figure out a plan though... it's been in the back of my mind for a long time
Fri, Aug 22, 2025, 07:52:40 - symbioquine: Could just be a matter of documenting that under development and linking to it from some strategic comments in the source.
Fri, Aug 22, 2025, 07:52:44 - mstenta: We don't really use `uid` for anything... it's mostly just there as a way of tracking who the original author was.
Fri, Aug 22, 2025, 07:52:56 - mstenta: So maybe we can hijack the permissions and just rewire stuff to use `owner` instead
Fri, Aug 22, 2025, 07:53:33 - symbioquine: It sounds like that would be in the direction of what RUros was trying to do.
Fri, Aug 22, 2025, 07:53:38 - mstenta: But I imagine there is also a case for having permissions for the original author too
Fri, Aug 22, 2025, 07:54:03 - mstenta: Yea agreed - I think that's what a normal person's expectation would be when they read "edit own assets" :-)
Fri, Aug 22, 2025, 07:54:58 - mstenta: It would raise questions like: if I create an asset, and assign ownership to someone, can I still view/edit the asset?
Fri, Aug 22, 2025, 07:55:20 - mstenta: (Hence why some extra "author" permissions may be necessary)
Fri, Aug 22, 2025, 07:56:54 - symbioquine: Seems like we'd need to have some example use-cases for that sort of restricted permission in hand to say - and to say whether that needs to all be automatic or whether an admin can just come re-assign ownership if someone accidentally gives theirs away.
Fri, Aug 22, 2025, 07:57:52 - mstenta: Yea
Fri, Aug 22, 2025, 07:58:36 - mstenta: Maybe the first step is to review how the `EntityOwnerTrait` works and what it adds/does
Fri, Aug 22, 2025, 07:59:19 - mstenta: This goes a bit beyond Drupal core too, FYI... the `entity` module (https://www.drupal.org/project/entity) is responsible for providing all the permissions for custom entity types IIRC
Fri, Aug 22, 2025, 07:59:29 - mstenta: (It probably also looks for `EntityOwnerTrait`)
