Access control
Permissions are defined in crm_membership.permissions.yml. Entity access handlers map operations to those permissions.
Permission list
| Permission | Restrict access | Typical use |
|---|---|---|
administer crm_membership |
Yes | Full admin: settings, period CRUD, membership create, bypass granular checks |
view crm membership types |
No | View membership type list and individual types |
create crm membership types |
No | Add new membership types |
edit crm membership types |
No | Edit membership type configuration |
delete crm membership types |
Yes | Delete membership types |
view memberships |
No | View membership entities and optional periods View |
edit memberships |
No | Edit existing memberships |
renew memberships |
No | Use renew form / Renew operation |
delete memberships |
Yes | Delete memberships |
There is no create memberships permission. Creating memberships requires administer crm_membership (entity admin_permission).
Membership Type (crm_membership_type)
Handler: MembershipTypeAccessControlHandler
| Operation | Permission(s) |
|---|---|
| view | view crm membership types OR administer crm_membership |
| create | create crm membership types OR administer crm_membership |
| update | edit crm membership types OR administer crm_membership |
| delete | delete crm membership types OR administer crm_membership |
Collection route permission: view crm membership types.
Membership (crm_membership)
Handler: MembershipAccessControlHandler
| Operation | Permission(s) |
|---|---|
| view | view memberships OR administer crm_membership |
| update | edit memberships OR administer crm_membership |
| renew | renew memberships OR administer crm_membership |
| delete | delete memberships OR administer crm_membership |
| create | administer crm_membership (via entity admin permission) |
The Renew list operation and renew form route check the renew operation.
Membership Period (crm_membership_period)
Uses default entity access with admin_permission: administer crm_membership. All standard entity routes (view, create, update, delete) require admin permission unless extended by another module.
Global collection: /crm/membership/periods — menu link at CRM portal → Memberships → Membership periods (crm.home.membership.periods).
Optional View: periods per membership
Route: view.membership_periods_for_membership.page_membership_periods
Path: /admin/content/crm/membership/{crm_membership}/all-periods (admin Content path, not under /crm/membership/...)
Uses Views access plugin requiring view memberships (not the period entity’s admin permission). Users can list periods for a membership without full period CRUD access.
Module settings (planned)
Route: crm_membership.settings (not implemented yet)
Permission: administer crm_membership only.
Recommended role setup
| Role | Suggested permissions |
|---|---|
| Membership administrator | administer crm_membership |
| Membership manager | view/create/edit crm membership types, view/edit/renew memberships |
| Membership viewer | view crm membership types, view memberships |
Adjust based on site policy. Permissions marked “restrict access” in Drupal should be granted sparingly.
Related
- Configuration — Permission definitions and settings route
- Routes — Paths and route names
- Membership periods UI — View vs CRUD access