Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
Discovered while working on #2819335: Resource (entity) normalization should use partial caching.
\Drupal\user\UserAccessControlHandler::checkFieldAccess() does this:
case 'preferred_langcode':
case 'preferred_admin_langcode':
case 'timezone':
case 'mail':
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::neutral();
}
Note that the "else" case returns AccessResult::neutral() without any cache context. Despite that result being dependent on whether the User entity matching the current user ($is_own_account).
Proposed resolution
Fix it: add the user cache context to the "else" case too.
Remaining tasks
Tests.
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
None.
| Comment | File | Size | Author |
|---|---|---|---|
| #8 | 3026264-8.patch | 8.7 KB | Wim Leers |
| #8 | interdiff.txt | 7.84 KB | Wim Leers |
| #3 | 3026264-3.patch | 926 bytes | Wim Leers |
Comments
Comment #2
Wim LeersComment #3
Wim LeersOr, slightly nicer.
Comment #4
Wim LeersNote that this is not a security risk. The worst that can happen is that the denial of access is cached and applied to users that should have access — it is impossible that HEAD causes users who should not have access to gain access.
Comment #5
Wim LeersThis is a soft blocker to #2819335-41: Resource (entity) normalization should use partial caching — we can choose to disable the failing test for now, but ideally we of course would not do that.
Comment #7
Wim LeersComment #8
Wim LeersThis is the first case of a REST entity normalization resulting in a normalization that varies by
user. So the REST base test class needed updating.Comment #9
Wim LeersComment #10
cspitzlayI had this issue when requesting attributes of different users (access_tokens via simple_oauth, then requests via jsonapi).
Once a user1 tried to access a field of user2 the user2 was no longer returned their own fields they should have access to.
I tested the patch from #8 and it solves the problem for me.
Comment #11
Wim LeersMarking RTBC per #10.
Comment #12
knyshuk.vova CreditAttribution: knyshuk.vova at Internetdevels, Drupal Ukraine Community commented+1 to RTBC
Comment #13
catchCommitted dde2ff8 and pushed to 8.7.x. Thanks!