Module Description
This small module is intended to be used on headless Drupal sites where only admins and developers should have access to the Drupal UI, and regular/authenticated users should not. This is accomplished via a new permission called "Access UI routes".
The permission only applies to routes that the module determines are not API routes. The determination is based on the format requirements specified on each route. Any route that declares a _format requirement that starts with the string 'api_' or ends with the string 'json' is considered an API route. This crude heuristic seems to work for both the RESTful Web Services and JSON:API modules in core. YMMV for third-party modules that handle API requests in their own controllers without any special sentinel values in their routes.
In addition, special system routes (like the CSRF token endpoint for RESTful Web Services) as well as the user login and password reset forms are excluded from access restrictions via a new hook_disable_ui_route_exclusions(). If your site needs to expose more routes to users, you should either ensure that the _format of your route is correct (if you are exposing an API) or you should implement the new hook (if you are exposing an HTML page).
Credits
Project icon made by Freepik from www.flaticon.com
The permission only applies to routes that the module determines are not API routes. The determination is based on the format requirements specified on each route. Any route that declares a _format requirement that starts with the string 'api_' or ends with the string 'json' is considered an API route. This crude heuristic seems to work for both the RESTful Web Services and JSON:API modules in core. YMMV for third-party modules that handle API requests in their own controllers without any special sentinel values in their routes.
In addition, special system routes (like the CSRF token endpoint for RESTful Web Services) as well as the user login and password reset forms are excluded from access restrictions via a new hook_disable_ui_route_exclusions(). If your site needs to expose more routes to users, you should either ensure that the _format of your route is correct (if you are exposing an API) or you should implement the new hook (if you are exposing an HTML page).
Credits
Project icon made by Freepik from www.flaticon.com
Module Link
Project Usage
52
Security Covered
Covered By Security Advisory
Version Available
Production
Module Summary
This module aims to restrict access to the Drupal UI for regular/authenticated users on headless Drupal sites, allowing only admins and developers to have access via a new permission called 'Access UI routes'.
Data Name
disable_ui