Add cacheability metadata to access checks

A bunch of the code comments reference "this and any parent". Is that carried over from the menu links patch?

I'm not sure what parent means in terms of the general access check API

In that case, "parent" doesn't really seem like the right term. Or at least I don't know if we're using it elsewhere in the caching system?

I might use a word like "encompassing" or "enclosing" or maybe "aggregate"?

I'm not sure how to concisely express "other cache items that need to be invalidated if the cached result of this service is invalidated"

I think "parent" makes sense here, but we might qualify it a bit. Maybe parent cacheable? None of the other suggestions in #6 are clearer.

One thing that's not clear to me, is how we deal with changes to the cache contexts. For example, if an access check adds by-role to it's parent's contexts, and a permission is added to that role, is the parent's cache tagged with that role so that it'll get cleared? Maybe that's a larger issue than what this patch is doing.

interface CacheabilityAffectorInterface {

I winced at that name at first, but I can't really think of anything better at the moment.

In general, I think this patch is going in the right direction.

Huge +1 for adding API support to make access checks cacheable!

Addition: \Core\Cache\CacheabilityAffectorInterface

Why do we need a new interface for this issue instead of using CacheableInterface? The difference seems to be an assumption that we'll only want to cache access checks as part of some bigger structure (e.g., a rendered menu), but that's an implementation detail that shouldn't leak to the access checkers themselves. There's no reason we couldn't choose to cache access check results on their own, in a {cache_access} bin, if we wanted to. And if a containing item does want/need to affect its own cache info with the contained item's cache info, is there any reason it needs the contained item to report its info via a differently named interface?

Ideally, we'd be able to also let access checks specify cache tags — the results of some access checks, like BookNodeIsRemovableAccessCheck and EntityAccessCheck, depends on entities. But because access checks aren't instantiated per unique access check (e.g. per node for which access is being checked), we cannot collect the corresponding cache tags.

What if we do this: instead of making AccessInterface extend CacheableInterface, give it a new method (e.g., getCacheInfo($route, $request, $account)). This needs to return an object that implements CacheableInterface. Instead of requiring each such access checker to create its own unique class for this, perhaps we should add a \Drupal\Core\Cache\CacheableInfo class that's just a dumb value object that receives keys, tags, etc. in its constructor, so that getCacheInfo() implementations can instantiate this class with the desired arguments.

I think it's preferable to tackle this in a follow-up issue, because it'll require relatively invasive changes to access checkers AFAICT.

If the above seems like a good idea, let's do it in this issue, rather than making AccessInterface extend CacheableInterface here, and then undoing it later.

But "cache keys for caching the results" (i.e. generate a CID) versus "cache keys for affecting cacheable parent objects" (i.e. alter a CID to vary by some things) are not the same...If we say that access checks results could be cached in the future, then that implies that each of them should provide the necessary keys to generate a CID. We could do that, even though it'd be completely useless (at least for now), but even then, we'd still need to distinguish between "CID keys" versus "variation keys".

I think you make a good point in theory, but our only current implementations of getCacheKeys() in HEAD (blocks) do not follow your model. They only return the variation keys, and BlockViewBuilder::viewMultiple() adds in the rest that's needed for a full CID. So with that as our example, my interpretation of CacheableInterface::getCacheKeys() is that it's de facto the same as what you conceptualize as CacheAffectorInterface::getCacheContexts(), and that it is the invoker of ->getCacheKeys() whose responsible for adding the rest of CID when wanting to cache the item in its own entry. Maybe we want to change that interpretation, but that seems like a separate issue.

Creating a separate getCacheInfo() method is flawed though, because that would mean replicating the majority of the logic in many access checkers to actually get and validate the entity from the request attributes, for example.

No. Access checkers have no business validating request attributes. I think the ones we have that still do that (in e.g., quickedit) have @todos to fix that. Meanwhile, lumping cache info into the access() method means that we'll never be able to cache access check results on their own. For something like a per-user node access based on node grants, we could return the cacheability info faster than a full access check result. Maybe the DX gain of putting it all into access() as you suggest is worth giving up the ability to cache access checks on their own though. @catch, @msonnabaum: what do you think?

General review:

Given that this makes the DX way of writing access related functions way worse we should try to improve it. At least
adding methdos like isAllowed() would also save you to include the access interface all the time.

On top of that I am confused about the cacheability because some of the checkers depend on the request so I don't see how they could be cacheable (toolbar is one example).

This is a mix of detail/nitpicks/highlevel/random thoughts.

Change: \Drupal\Core\Routing\Access\AccessInterface now also implements the newly added CacheabilityAffectorInterface

I wonder whether we could theoretically let us just mark specific instances as CacheabilityAffectorInterface given that this adds a dependency for our routing component to our cache component. Otherwise add a CacheableAccessInterface which includes both or something else.

1. +++ b/core/lib/Drupal/Core/Access/AccessCheckResult.php
   @@ -0,0 +1,87 @@
   +/**
   + * Value object for passing an access check result with cacheability metadata.
   + */
   +class AccessCheckResult {
   

   <3 value objects! We have to open up a beer on value objects at drupalaton

2. +++ b/core/lib/Drupal/Core/Access/AccessCheckResult.php
   @@ -0,0 +1,87 @@
   +   * @var string
   

   Meh, can we describe that just a couple of constants are allowed here?

3. +++ b/core/lib/Drupal/Core/Access/AccessCheckResult.php
   @@ -0,0 +1,87 @@
   +   *   Whether this access check result is cacheable or not. This is crucial
   +   *   information for the access check result, hence it must be set upon
   +   *   construction.
   

   It would be great to have some definition somewhere which explains the concept of cacheability.

4. +++ b/core/lib/Drupal/Core/Access/AccessCheckResult.php
   @@ -0,0 +1,87 @@
   +    // Calculate the combined result, starting with the merged cacheability
   +    // metadata.
   +    $access = new AccessCheckResult(TRUE);
   +    $merge_cacheability = function(Cacheability $carry, AccessCheckResult $current) {
   +      return $carry->merge($current->cacheability);
   +    };
   +    $access->cacheability = array_reduce($access_check_results, $merge_cacheability, $access->cacheability);
   +
   +    $get_access = function(AccessCheckResult $access_check_result) {
   +      return $access_check_result->value;
   +    };
   +    $access_check_values = array_map($get_access, $access_check_results);
   

   Nothing against the usage of map and reduce but can we try to explain a bit better what the code does at the end?

5. +++ b/core/lib/Drupal/Core/Access/AccessCheckResult.php
   @@ -0,0 +1,87 @@
   +
   +    // 'ANY' merging behavior: at least one checker should allow access.
   +    if ($behavior === 'ANY' && in_array(AccessInterface::ALLOW, $access_check_values, TRUE)) {
   +      $access->value = AccessInterface::ALLOW;
   +    }
   +    // 'ALL' merging behavior: every checker should allow access.
   +    else if ($behavior === 'ALL' && !in_array(AccessInterface::DENY, $access_check_values, TRUE)) {
   +      $access->value = AccessInterface::ALLOW;
   +    }
   +
   

   Does that mean we cannot longer lazy-evaluate multiple access checkers? Just like if we would have overridden the && operator in cpp.

6. +++ b/core/lib/Drupal/Core/Access/AccessCheckResult.php
   @@ -0,0 +1,87 @@
   +  public static function any(array $access_check_results) {
   ...
   +  public static function all(array $access_check_results) {
   

   This is btw. NOT a value object ... as it contains quite some logic. Maybe the logic should live somewhere else.

7. +++ b/core/lib/Drupal/Core/Access/AccessManager.php
   @@ -41,7 +41,7 @@ class AccessManager implements ContainerAwareInterface, AccessManagerInterface {
   @@ -194,10 +194,18 @@ public function checkNamedRoute($route_name, array $parameters = array(), Accoun
   
   @@ -194,10 +194,18 @@ public function checkNamedRoute($route_name, array $parameters = array(), Accoun
   +      // Cacheable until extensions change.
   +      $access->cacheability->setTags(array('extension' => TRUE));
   

   Well, routes are not only provided by extensions but also my actions in the UI: create a new page manager display/view. So is this really cacheable that way?

8. +++ b/core/lib/Drupal/Core/Access/AccessManager.php
   @@ -228,30 +236,34 @@ public function check(Route $route, Request $request, AccountInterface $account)
      protected function checkAll(array $checks, Route $route, Request $request, AccountInterface $account) {
   ...
   +      // Stop as soon as the first DENY or KILL is encountered.
   +      if ($result->value !== AccessInterface::ALLOW) {
            break;
   

   Okay we seem to still be able to lazy-evaluate stuff.

9. +++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
   @@ -45,15 +45,19 @@ function __construct(CsrfTokenGenerator $csrf_token) {
   +    $access = new AccessCheckResult(FALSE);
   
   @@ -61,12 +65,14 @@ public function access(Route $route, Request $request) {
   +      $access->value = static::ALLOW;
   

   It is a little bit odd to have one bit set via the constructor and one on the property, but yeah this is not horrible just odd.

10. +++ b/core/lib/Drupal/Core/Cache/Cacheability.php
    @@ -0,0 +1,138 @@
    +    // Use the lowest max-age.
    +    if ($this->maxAge === Cache::PERMANENT) {
    +      // The other max-age is either lower or equal.
    +      $this->setMaxAge($other->maxAge);
    +    }
    +    else {
    +      $this->setMaxAge(min($this->maxAge, $other->maxAge));
    +    }
    +    return $this;
    

    I am confused. Let's assume $this has max age 10 and $other has permanent. Given that permanent is -1 it will be set. I would have expected 10 to be lower

11. +++ b/core/lib/Drupal/Core/Entity/EntityAccessController.php
    @@ -89,23 +93,37 @@ public function access(EntityInterface $entity, $operation, $langcode = Language
    +    // Calculate the combined result, starting with the merged cacheability
    +    // metadata.
    +    $result = new AccessCheckResult(TRUE);
    +    $merge_cacheability = function(Cacheability $carry, AccessCheckResult $current) {
    +      return $carry->merge($current->cacheability);
    +    };
    +    $result->cacheability = array_reduce($access, $merge_cacheability, $result->cacheability);
    +
    +    $get_access = function(AccessCheckResult $access_check_result) {
    +      return $access_check_result->value;
    +    };
    +    $access_check_values = array_map($get_access, $access);
    

    Isn't that the exact same code as in the merge method of AccessCheckResult?

12. +++ b/core/lib/Drupal/Core/Entity/EntityForm.php
    @@ -229,7 +230,7 @@ protected function actions(array $form, FormStateInterface $form_state) {
    +        '#access' => $this->entity->access('delete')->value === AccessInterface::ALLOW,
    

    I wonder whether we could add methods like isAllowed, isDenied and isKilled on the AccessCheckResult object. There are a couple of places where we do such an comparison

13. +++ b/core/lib/Drupal/Core/Field/FieldItemList.php
    @@ -197,7 +199,9 @@ public function access($operation = 'view', AccountInterface $account = NULL) {
    -    return TRUE;
    +    $access = new AccessCheckResult(TRUE);
    +    $access->value = AccessInterface::ALLOW;
    +    return $access;
    

    It is quite sad how much worse the DX is. We worked as hard to make access as simple as possible, using service tags instaed of appliesStatic() and what not.

14. +++ b/core/lib/Drupal/Core/Menu/LocalTaskManager.php
    index 125bbf0..9778afa 100644
    --- a/core/lib/Drupal/Core/Menu/MenuLinkBase.php
    
    --- a/core/lib/Drupal/Core/Menu/MenuLinkBase.php
    +++ b/core/lib/Drupal/Core/Menu/MenuLinkBase.php
    
    +++ b/core/lib/Drupal/Core/Menu/MenuLinkBase.php
    +++ b/core/lib/Drupal/Core/Menu/MenuLinkBase.php
    @@ -9,6 +9,8 @@
    

    I don't see changes to the interface ... This also not sounds like a proper is*() method anymore, given that it returns a value object.

15. +++ b/core/lib/Drupal/Core/Menu/MenuLinkDefault.php
    @@ -94,7 +96,9 @@ public function getDescription() {
       public function isResettable() {
         // The link can be reset if it has an override.
    -    return (bool) $this->staticOverride->loadOverride($this->getPluginId());
    +    $access = new AccessCheckResult(FALSE);
    +    $access->value = ((bool) $this->staticOverride->loadOverride($this->getPluginId())) ? AccessInterface::ALLOW : AccessInterface::DENY;
    +    return $access;
       }
    

    Why is that not cacheable? Nothing changes beside the Plugin ID. In general I really wonder whether it is worth to cache that admin listing, given that it contains potentially nodes/entities which aren't cacheables again. I guess your plan is to cache /admin menu?

16. +++ b/core/modules/block/src/BlockBase.php
    @@ -156,10 +158,17 @@ public function access(AccountInterface $account) {
    +    // This should not be hardcoded to an uncacheable access check result, but
    +    // in order to fix that, we need condition plugins to return cache contexts,
    +    // otherwise it will be impossible to determine by which cache contexts the
    +    // result should be varied.
    

    Can we add a todo + followup?

17. +++ b/core/modules/book/src/Access/BookNodeIsRemovableAccessCheck.php
    @@ -39,11 +40,15 @@ public function __construct(BookManagerInterface $book_manager) {
    +    // Cacheable until the book node is modified.
    +    $access->cacheability->setTags($node->getCacheTag());
    +    $access->value = $this->bookManager->checkNodeIsRemovable($node) ? static::ALLOW : static::DENY;
    

    This seems to assume book manager internals ... but I guess this is fine.

18. +++ b/core/modules/comment/src/CommentAccessController.php
    @@ -22,33 +24,67 @@ class CommentAccessController extends EntityAccessController {
    +          $commented_entity_access = $entity->getCommentedEntity()->access($operation, $account);
    +          // We want access the commented entity to determine access to the
    +          // comment, so we don't specify an opinion yet (we use DENY), but we
    +          // want our cacheability metadata to be reflected, so we merge our
    +          // access check result with that of the commented entity using the
    +          // AccessCheckResult::any() method.
    

    Can't we just get the commented_entity_access and set the cacheablity tags on there? This merging feels more complex tbh.

19. +++ b/core/modules/contact/src/CategoryAccessController.php
    @@ -22,14 +24,22 @@ class CategoryAccessController extends EntityAccessController {
           // Do not allow access personal category via site-wide route.
    -      return $account->hasPermission('access site-wide contact form') && $entity->id() !== 'personal';
    +      $access->value = ($account->hasPermission('access site-wide contact form') && $entity->id() !== 'personal') ? AccessInterface::ALLOW : AccessInterface::DENY;
    ...
    +      $access->value = ($account->hasPermission('administer contact forms') && $entity->id() !== 'personal') ? AccessInterface::ALLOW : AccessInterface::DENY;
    +      // Cacheable per role.
    +      $access->cacheability->addContexts(array('cache_context.user.roles'));
    

    I try to understand where the $entity->id() condition is taken into account for cacheability.

20. +++ b/core/modules/file/src/FileAccessController.php
    @@ -21,21 +23,26 @@ class FileAccessController extends EntityAccessController {
    +    $no_access = new AccessCheckResult(TRUE);
    +    $no_access->value = AccessInterface::DENY;
    ...
    +
    +    return $no_access;
    

    Maybe just create this object right before returning it. It is not used somewhere else.

21. +++ b/core/modules/menu_ui/src/Form/MenuLinkResetForm.php
    @@ -115,12 +116,13 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
    +    $access->value = $menu_link_plugin->isResettable() ? AccessInterface::ALLOW : AccessInterface::DENY;
    

    didn't you changed that to a value object? This will always be true.

22. +++ b/core/modules/node/src/NodeAccessController.php
    @@ -59,15 +61,24 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
    +    $parent_access = parent::access($entity, $operation, $langcode, $account);
    +    return AccessCheckResult::any(array($access, $parent_access));
    

    Same as before, why do we not set the cacheablity directly here. this any-ness is confusing.

23. +++ b/core/modules/node/src/NodeGrantDatabaseStorage.php
    @@ -54,10 +56,12 @@ public function __construct(Connection $database, ModuleHandlerInterface $module
    +    $access = new AccessCheckResult(TRUE);
    ...
         if (!$this->moduleHandler->getImplementations('node_grants') || !$node->id()) {
    -      return;
    

    Just move the $access into the if()

24. +++ b/core/modules/node/src/NodeGrantDatabaseStorage.php
    @@ -86,7 +90,14 @@ public function access(NodeInterface $node, $operation, $langcode, AccountInterf
    +    // Node grants currently don't have any cacheability metadata. Hopefully, we
    +    // can add that in the future, which would allow this access check result to
    +    // be cacheable. For now, this must remain marked as uncacheable, even when
    +    // it is theoretically cacheable, because we don't have the necessary meta-
    +    // data to know it for a fact.
    +    $access = new AccessCheckResult(FALSE);
    

    TODO + followup.

25. +++ b/core/modules/quickedit/tests/src/Access/EditEntityFieldAccessCheckTest.php
    @@ -60,34 +62,49 @@ protected function setUp() {
    +      ->will($this->returnValue($entity_access));
    ...
    +      ->will($this->returnValue($no_entity_access));
    

    Let's use $this->willReturn instead.

26. +++ b/core/modules/shortcut/shortcut.module
    @@ -104,35 +114,49 @@ function shortcut_set_edit_access(ShortcutSetInterface $shortcut_set = NULL) {
    +  else if ($user->id() == $account->id()) {
    

    ha, it is elseif (I don't know why though)

27. +++ b/core/modules/system/entity.api.php
    @@ -524,7 +525,11 @@
    +  // Cacheable per role.
    +  $access->cacheability->setContexts(array('cache_context.user.roles'));
    +  $access->value = NULL;
    
    @@ -550,7 +554,11 @@ function hook_entity_access(\Drupal\Core\Entity\EntityInterface $entity, $operat
    +  // Cacheable per role.
    +  $access->cacheability->setContexts(array('cache_context.user.roles'));
    +  $access->value = NULL;
    

    NULL is cacheable per role? maybe we should use a hasPermission() as example

28. +++ b/core/modules/toolbar/src/Controller/ToolbarController.php
    @@ -44,7 +45,11 @@ public function subtreesJsonp() {
    +    $access = new AccessCheckResult(TRUE);
    +    // Cacheable per role.
    +    $access->cacheability->setContexts(array('cache_context.user.roles'));
    +    $access->value = ($this->currentUser()->hasPermission('access toolbar') && ($hash == _toolbar_get_subtrees_hash($langcode))) ? AccessInterface::ALLOW : AccessInterface::DENY;
    

    Just a general question: You add a new entry to a menu, which will change the hash. How will this be reflected here? The url might change, so the access might be granted even the actual hash could be already different.

29. +++ b/core/modules/update/src/Access/UpdateManagerAccessCheck.php
    @@ -39,7 +40,11 @@ public function __construct(Settings $settings) {
    +    // Uncacheable because the access check result depends on a Settings
    +    // key-value pair, and can therefore change at any time.
    
    +++ b/core/modules/user/src/Access/RegisterAccessCheck.php
    @@ -24,10 +25,15 @@ class RegisterAccessCheck implements AccessInterface {
    +    $access = new AccessCheckResult(TRUE);
    +    $access->value = ($request->attributes->get('_menu_admin') || $account->isAnonymous()) && (\Drupal::config('user.settings')->get('register') != USER_REGISTER_ADMINISTRATORS_ONLY) ? static::ALLOW : static::DENY;
    +    // Cacheable per role.
    

    So what is different between settings and config?

30. +++ b/core/modules/user/src/UserAccessController.php
    @@ -20,44 +22,60 @@ class UserAccessController extends EntityAccessController {
    +    // Administrators can view/update/delete  all user profiles.
    

    sometimes I see two spaces.

So you're adding cacheability information (throught the Cacheability value object) onto the AccessCheckResult object, but at which point are you actually using the Cacheability object to cache anything ? Will that be in specific usages such as in menu links caching ?

While this seems to be thoroughly thought, my first reaction while reading this patch was it seems that there is so many value object indirection here. That thought put aside the only thing that bothers me is the fact that AccessCheckResult knows about Cacheability value object; Eventually it couples the access check system to the cache system somehow, at the interface level of the AccessManagerInterface and that's really inconvenient and probably unnecessary.

The cacheability is supposed to be used only the menu links to be cacheable, and only for the ones that would need later display (tabs, contextual or action links, and menu blocks). Isn't there a way to keep the cacheability information at this level ? It would be great to see this not bleeding over the raw access system.

What matters above all, is that all access checkers, and in fact anything that implements AccessibleInterface, plus on top of that all the entity access-related things (the hooks and EntityAccessControllerInterface) has been converted to no longer return either an AccessInterface constant or TRUE/FALSE/NULL, but is now without exception converted to returning an AccessCheckResult object. Why an object? Because we can then associate cacheability metadata with the result.

I'm currently torn on this. I think I see the value of it (as opposed to separating in the way I suggested in #8), but I think the top of #18 and #19 raise some good concerns about the DX + complexity of intertwining the result value and its cacheability info. I need to think about this some more before giving substantive feedback. But I'm very happy to see so much (i.e., all of the) conversion done already, since looking through all those use cases will inform the benefit / weight analysis + options for alternative formulations.

I'd like to see stub usage of this even if it's pseudo code, because I'm not sure how it resolves the following;

The point at which you need to know cacheability metadata is when determining a cache ID. At that point no access checkers can be run, because you don't know what they will be yet.

#2099137: Entity/field access and node grants not taken into account with core cache contexts is open for this and the overall idea so far for entity render caching was just to allow access modules to interact at the point the cache ID is created, that doesn't at all appear to be the case here.

We can then effectively render cache all those menu links whose access check result's cacheability metadata only contains the "per role" cache context. We can also still render cache them if they have any cache tags ("cache until user X is modified"). Any menu links whose access check result depends not only on role, but also on e.g. language will be rendered into a render cache placeholder.

How do you find this out without running the access checkers?

Let's take your example:

As you can see, there are several "phases" or "levels of access" contained within this access checker:

First phase: if we're checking access to the anonymous user's profile, the answer is always KILL. This is a globally cacheable result, because the answer is the same for everyone, always. If this is not the case, go to the next step.
Second phase: if the current request is from a user that has the all-encompassing "administer users" permission, then the answer is always ALLOW. Since it depends on a permission, it's cacheable per role. If this is not the case, go to the next step.
Third phase: if the current request is from the owner of the profile, then the answer is always ALLOW. Since this depends just on the user that's looking at the profile, this result is cacheable per user.
Fourth phase: if the current request is from a user that mayh view user profiles, then the answer is ALLOW if the user is not blocked, and DENY if blocked. (DENY, not KILL, so that some contrib module may add a "access blocked user profiles" permission.) Since this depends on a permission and on the status of the entity, it's cacheable per role, but only until the profile's user entity is modified (because that might block or unblock that user).
Fifth phase: if none of the above is applicable, then we default/fall back to DENY, which means as much as "no opinion".

Let me see if I've got this right:

Empty cache.

User A visits with 'administer users', the menu link is cached as HTML because it's treated as per-role. The cid of the render-cached menu includes the role hash so that's fine.

User B visits without that permission, it gets to phase three and returns per-user, because it's per-user, we stick it in placeholder instead.

This means that for some roles the item is a placeholder, and for others it is directly cached in the HTML. Whether it's cached in the HTML or put into a placeholder depends on whether the granularity the access checker returns matches the configuration of cache granularity. Since the overall granularity is known up-front, it's fine to compare this and treat individual links differently.

If that's right, I have another question, but I'll make sure we're on the same page so far before continuing :)

Just as a note, I'm quite convinced the cache metadata should not bleed and hard-couple the access check system to it. There are probably a lot of other layers in there where we can act upon to add the caching metadata. For example I'd say that menu links could use an additional interface over the controlers with an simple getCacheabilityInformation() (stupid name) method in order to build the menu links cache. Ideally I think the cacheability here solves a very specific problem and should live in the business layer where it solves it.

OK so the next question would be this:

The number of access checks where there are multiple potential cacheabilities is fairly low (although entity access accounts for a lot in practice).

Entity access checks tend to only return early for users with administrative permissions. While having granularity as part of the return value allows for optimizing the case where an access check returns early for some users, I'm not sure there's enough of a trade-off there to justify the complexity (and where there is, it could probably be solved by splitting some of these up anyway). Non-administrative users will generally end up with a placeholder.

So that leaves me wondering why we can't (similar to pounard's suggestion) have a method on access checks that returns access check granularity - that could also be optional and default to the highest granularity. In core the permission access check would be per-role and any router item with just that can be cached per role.

This would massively simplify what access checkers have to do (just return the most pessimistic granularity they need from a method, or do nothing to get the most pessimistic granularity possible).

Additionally I think it'll be faster on cache misses:

In the current approach, if an access check has a granularity of worse than per-role, we'll run it once to determine the granularity. Then the placeholder gets added to the menu. Then #post_render_cache is going to run the access check again to determine if the link is actually renderable or not. So all the worst access checks get run twice on that request.

If we have just a method, then we only need to run that method when generating the HTML string since we can get granularity without running the check, then the actual access checks only get run in #post_render_cache.

That also means that the render-cached portion of the menu will get into the cache quicker, since potentially expensive access checks don't need to be run before the HTML can be set - would help slightly in a cache stampede situation.

Also even if it's in a separate method, it'd potentially be feasible to do something like return per role if the current user is an admin else something else. Can't use context from route parameters of course.

At a conceptual level, this patch makes a lot of sense to me. Access checks have dependencies (i.e. contexts) and thus need to affect the granularity of caches. Having them return those contexts is a step forward.

What matters above all, is that all access checkers, and in fact anything that implements AccessibleInterface, plus on top of that all the entity access-related things (the hooks and EntityAccessControllerInterface) has been converted to no longer return either an AccessInterface constant or TRUE/FALSE/NULL, but is now without exception converted to returning an AccessCheckResult object. Why an object? Because we can then associate cacheability metadata with the result.

Ok, thinking about it more, I agree with that much. Meaning, I agree with changing AccessibleInterface::access() and *AccessCheck::access() methods to return an object instead of a string, in order to allow (but not require, see the end of this comment) said object to be capable of returning cacheability metadata.

First, I'll clarify why I agree with that by responding to catch's question:

So that leaves me wondering why we can't (similar to pounard's suggestion) have a method on access checks that returns access check granularity

While a method on access check services might be sufficient in some cases, it doesn't cover some of the most important ones. Take for example, a menu with 100 links in it, all to nodes, where 1 of the nodes is unpublished. Assuming the site isn't implementing per-user node grants, then 99 of those access check results can be cached per-role, and only 1 (the unpublished one) needs to be per-user (because of the "view own unpublished content" permission). So the goal is to be able to render-cache the entire menu per-role, and have a #post_render callback for just the one link to the unpublished node. That way, on a (per-role) cache hit, we don't even need to load the 99 published nodes, let alone invoke ->access() on them. Neither the EntityAccessCheck service (which is a single object for all entities, not just nodes) nor the NodeAccessController (which is a single object for all nodes) can be the ones to implement a getCacheContexts() method that solves this use case of the cache context being different per node. If we were to settle for the most pessimistic answer (per-user), then we lose out on the benefit of being able to cache much more effectively per role for the vast majority of instances.

Secondly, in response to pounard:

The cacheability is supposed to be used only the menu links to be cacheable, and only for the ones that would need later display (tabs, contextual or action links, and menu blocks). Isn't there a way to keep the cacheability information at this level ?

We already have a concept of routes having access checkers. I don't see it as being desirable in any way to invent a separate concept of link access checkers. I think any use case where you want link access to be different than route access is sketchy (we have one in core, MyAccountMenuLink::isHidden(), and I think it's sketchy, and it has a @todo about that), and needing to maintain two separate access check levels that should always be consistent with each other seems fraught with problems.

But, where I agree with pounard (at least if I'm understanding his concern correctly) is:

cache metadata should not bleed and hard-couple the access check system to it

Yes, I see the hard-coupling of AccessibleInterface::access() to have an @return of AccessCheckResult to be problematic in two ways:

1. @params and @returns should be interfaces, not implementations.
2. If we change it to an interface, then the interface shouldn't be required to return cacheability information. Instead, we can let specific implementations decide whether they want the objects they return to also implement CacheableInterface (or similar) or not. Callers can then check whether the returned object is an instance of that interface, and if not, then treat it as an uncacheable result. In practice, we might choose to make all of core's access checkers return cacheable results, but we don't need to hard-couple that dependency into AccessibleInterface. I think this is a similar recommendation that @dawehner made in #18 above his itemized list.

@catch, @pounard, @dawehner, @Wim: thoughts on the above?

We already have a concept of routes having access checkers. I don't see it as being desirable in any way to invent a separate concept of link access checkers. I think any use case where you want link access to be different than route access is sketchy (we have one in core, MyAccountMenuLink::isHidden(), and I think it's sketchy, and it has a @todo about that), and needing to maintain two separate access check levels that should always be consistent with each other seems fraught with problems.

Yeah, we worked hard to use routes for access checking in various "links" related places. For now they work really fine, no reason to come up
with a new concept.

If we change it to an interface, then the interface shouldn't be required to return cacheability information. Instead, we can let specific implementations decide whether they want the objects they return to also implement CacheableInterface (or similar) or not. Callers can then check whether the returned object is an instance of that interface, and if not, then treat it as an uncacheable result. In practice, we might choose to make all of core's access checkers return cacheable results, but we don't need to hard-couple that dependency into AccessibleInterface. I think this is a similar recommendation that @dawehner made in #18 above his itemized list.

I do like this idea. This would allow us to keep a separated subsystem and share it with the world at some point. More important this keeps
us flexible as maybe someone has more ideas than just cacheable, maybe lazy-evaluation etc.

@params and @returns should be interfaces, not implementations.

Personally I don't see this per defition as a big problem though just for usage inside a limited scope of code though this isn't really the case here.

While a method on access check services might be sufficient in some cases, it doesn't cover some of the most important ones. Take for example, a menu with 100 links in it, all to nodes, where 1 of the nodes is unpublished.

If we want to optimize those kind of cases I would rather suggest to optimize on the tree level, see #2250315: Regression: Bring back node access optimization to menu trees

needs to be per-user (because of the "view own unpublished content" permission).

I don't think this is one of the 'most important' cases, we just shouldn't be supporting this all the time by default. That permission should be opt-in for listings, and it already is for things like the front page view that check published as opposed to not published || author = user (unless you especially configure that via Views).

I'm not sure that's even desirable during normal operations - i.e. would you want unpublished handbook items to show up in the book navigation during normal browsing on Drupal.org? On the front page?

#32 doesn't answer the 'double check' issue on cache misses mentioned in #29, that feels like a showstopper to me unless I've got that wrong.

If we have just a method, then we only need to run that method when generating the HTML string since we can get granularity without running the check, then the actual access checks only get run in #post_render_cache.

By this, I mean the granularity of the access check/link, not the granularity of the entire menu.

I think you've misunderstood what I was asking for, here's a rough idea of how I think it could look:

A method gets added to each access checker which returns the granularity needed for the access check (not the menu).

This granularity can be based on information in the current request (so it would allow for entity access to return per-role if the user has certain permissions), but it would not be allowed to depend on route parameters.

Based on that return, links are rendered directly in the menu (and access checked there), or put into render cache placeholders.

The only difference from the proposal is that the determination is put into a separate method rather than the return value of the access check, and that the method does not get the route parameters as context. Should still cover most cases though where the granularity requirements are different.

. It very often amounts to comparing the entity's owner ID to the current user ID, both of which are already loaded into memory anyway, so these "worst access checks" (with worse (more granular) than "per role" cacheability) usually amount to a function call in which very simple comparisons are performed.

We should be aiming for a situation where the entity is not actually loaded into memory - exactly because some of these access checks only need to check permissions, not any property of the entity. Issues like #1237636: Entity lazy multiple front loading and #638070: Router loaders causing a lot of database hits for access checks are related to this. The situation has got a bit better since #638070: Router loaders causing a lot of database hits for access checks since for example views no longer need to be instantiated to run access checks afaik.

By adding a new method instead of including it in the access result, we avoid being intrusive with code that absolutely don't care about this (for exemple base implementation will be to always return a granularity per role). And we also remove the need to have the granularity at the AccessManagerInterface level, and can be used only when necessary directly by the business code that needs it. This also would make the whole patch a lot less invasive since you won't have to modify all access checks to return something different that it already is in HEAD, and just focus on the optional granularity method on its own (the whole patch would be a lot simpler, and architecturally things would be a lot less massive).

That would be highly problematic, because then you wouldn't be able to indicate that e.g. a node is accessible, this applies to all users of this role, until the node is modified (e.g. because it is unpublished).

Not sure it prevents that. You won't get the actual node, but you'll know that the access check takes a node as a parameter, so it should be possible to indicate that. In terms of an implementation that adds cache tags to access check caches, that should also be possible by adding a separate method rather than baking it into return values no?

The only difference from the proposal is that the determination is put into a separate method rather than the return value of the access check, and that the method does not get the route parameters as context. Should still cover most cases though where the granularity requirements are different.

So we have 3 situations:

1. Route access checkers for which neither the cache granularity nor the cache tags depend on any route parameters (e.g., PermissionAccessCheck).
2. Route access checkers for which the cache granularity does not depend on route parameters, but the cache tags do (e.g., ThemeAccessCheck).
3. Route access checkers for which both cache granularity and cache tags depend on route parameters (e.g., EntityAccessCheck).

To address the first case, what if we allow, but don't require, access checkers to also implement CacheableInterface? Access checkers choosing to do this would be announcing to the system that their cache information doesn't depend on route parameters, so they prefer to provide their information directly rather than via the access result object.

To address the third case, I still don't see a way to avoid making the access result object be the one to implement CacheableInterface.

To address the second case, we could choose to create some additional method on access checkers, other than the access() method, to which we pass route parameters, but I don't see the benefit of that (I suggested something like that in #8, but the more I think about that, the more I think it doesn't help either performance or DX). If we choose to solve the 3rd case by allowing the result of the access() method to potentially implement CacheableInterface, then I think that approach is equally appropriate to use in the 2nd case (where only tags depend on the route parameters), because in most cases, it's the preparation of the route parameters that's the expensive step.

#32 doesn't answer the 'double check' issue on cache misses mentioned in #29, that feels like a showstopper to me unless I've got that wrong.

In the cases where the access check itself is potentially expensive beyond the loading of the route parameters (e.g., node access that relies on node grants), the access check result object returned by the access checker can be lazy. In other words, the object implementing both AccessCheckResultInterface and CacheableInterface just means that it needs to have a getValue() method (or perhaps instead isAllowed() and isDenied() methods, but that can be bikeshed later) and getCache*() methods. An access checker where all the logic is cheap could use something like the AccessCheckResult value object implementation in Wim's patch, but something like NodeAccessController could return a custom implementation that has a fast implementation of getCache*() and a slow implementation of getValue() that would only be invoked once. @catch: would that address your 'double check' concern?

This also would make the whole patch a lot less invasive since you won't have to modify all access checks to return something different that it already is in HEAD

Just clarifying that my proposal in this comment would still be very invasive, because it would still require changing all access checkers to return an object of type AccessResultInterface rather than a string constant. Unless we want to allow either a string or object return value, but I think that makes for ugly @return documentation and ugly logic in the callers to deal with return values that can be of different primitive types.

Overall I like the flexibility and power this gives us. The DX hit isn't too bad.

The patch doesn't apply cleanly right now.

1. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,372 @@
   +  public $contexts;
   ...
   +  public $tags;
   ...
   +  public $maxAge;
   

   Why are these public?

2. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,372 @@
   +  public function allow() {
   ...
   +  public function forbid() {
   ...
   +  public function reset() {
   ...
   +  public function allowIf($condition) {
   ...
   +  public function forbidIf($condition) {
   ...
   +  public function setCacheable($is_cacheable) {
   ...
   +  public function addCacheContexts(array $contexts) {
   ...
   +  public function resetCacheContexts() {
   ...
   +  public function addCacheTags(array $tags) {
   ...
   +  public function resetCacheTags() {
   ...
   +  public function setCacheMaxAge($max_age) {
   ...
   +  public function cachePerRole() {
   ...
   +  public function cachePerUser() {
   ...
   +  public function cacheUntilEntityChanges(EntityInterface $entity) {
   

   Why aren't these methods on the interface? I understand maybe the cache ones are separate, but allowIf and friends should be somewhere

3. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,372 @@
   +  /**
   +   * @param \Drupal\Core\Access\AccessResultInterface $other
   +   */
   +  protected function mergeCacheabilityMetadata(AccessResultInterface $other) {
   

   Missing a full docblock

4. +++ b/core/modules/views/src/ViewsAccessCheck.php
   @@ -31,11 +32,11 @@ public function applies(Route $route) {
   -    return $account->hasPermission('access all views') ? static::ALLOW : static::DENY;
   +    return AccessResult::create()->allowIf($account->hasPermission('access all views'))->cachePerRole();
   

   Taking this as an example of the patch as a whole:

   I really dislike the verbosity of "AccessResult::create()->allowIf()" since it is used so commonly. Was there any thought given to having several factory methods, like AccessResult::allowIf()?

+++ b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
@@ -21,18 +21,18 @@ class DefaultAccessCheck implements RoutingAccessInterface {
-      return static::ALLOW;
+      return AccessResult::create()->allow();
     }
     elseif ($route->getRequirement('_access') === 'FALSE') {
-      return static::KILL;
+      return AccessResult::create()->forbid();
     }
     else {
-      return static::DENY;
+      return AccessResult::create();

I can't say I like the complexity this adds, but I can't think of an alternative. That said, we could simplify the DX a little here by having return AccessResult::allowed() and AccessResult::kill() and AccessResult::deny(), which simply return a new result object set to that result. It's a bit less typing and I think more natural for people writing access checkers.

And that's what happens when I go have dinner between looking at an issue and commenting on it. :-P

Wim, can you clarify for my late-night brain what you mean by "It is possible though to get rid of that possibility, which would allow us to introduce AccessResult::allowIf()"? Get rid of which possibility, and how? It sounds like you mean get rid of the possibility of building up the object gradually, which seems like not something to lose...

+++ b/core/modules/views/src/ViewsAccessCheck.php
@@ -31,11 +32,11 @@ public function applies(Route $route) {
-    return $account->hasPermission('access all views') ? static::ALLOW : static::DENY;
+    return AccessResult::allowedIf($account->hasPermission('access all views'))->cachePerRole();

Okay, now this looks great! I didn't go through the whole thing again, but I have no more DX concerns.

+++ b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
@@ -21,18 +21,18 @@ class DefaultAccessCheck implements RoutingAccessInterface {
   public function access(Route $route) {
     if ($route->getRequirement('_access') === 'TRUE') {
-      return static::ALLOW;
+      return AccessResult::allowed();
     }
     elseif ($route->getRequirement('_access') === 'FALSE') {
-      return static::KILL;
+      return AccessResult::forbidden();
     }
     else {
-      return static::DENY;
+      return AccessResult::create();
     }

Much better! Thanks, Wim!

Initial review (nits) before dreditor crashes :)

1. +++ b/core/lib/Drupal/Core/Access/AccessManager.php
   @@ -200,10 +200,13 @@ public function checkNamedRoute($route_name, array $parameters = array(), Accoun
   +      // possible due to highly dynamic circumstances.
   

   Remove "highly".

2. +++ b/core/lib/Drupal/Core/Access/AccessManager.php
   @@ -234,30 +237,39 @@ public function check(Route $route, Request $request, AccountInterface $account)
   +      // Stop as soon as the first DENY or KILL is encountered.
   

   Can we remove all mention of DENY, KILL, and ALLOWED constants throughout core? Everything should be explained in terms of AccessResultInterface::isAllowed() and isForbidden(). How those are implemented is an implementation choice. Related, let's move the definition of the constants into AccessResult.

3. +++ b/core/lib/Drupal/Core/Access/AccessManager.php
   @@ -234,30 +237,39 @@ public function check(Route $route, Request $request, AccountInterface $account)
   +        $result = $result->andIf($other);
   

   What about just $result->andIf($other); to not hide from people that the method mutates the subject.

4. +++ b/core/lib/Drupal/Core/Access/AccessManager.php
   @@ -312,16 +318,17 @@ protected function checkAny(array $checks, $route, $request, AccountInterface $a
   +      throw new AccessException("Access error in $service_id. Access services can only return AccessResultInterface objects.");
   

   "... Access services must return an object that implements AccessResultInterface".

5. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,438 @@
   +    return new AccessResult();
   

   Everywhere in this class: s/AccessResult/static/

6. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,438 @@
   +  public function reset() {
   

   This should either also invoke the other reset*() methods, or else be renamed to resetValue(), resetAccess() or similar.

7. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,438 @@
   +  public function allowIf($condition) {
   +    $this->value = $condition ? AccessInterface::ALLOW : AccessInterface::DENY;
   

   Do we want to overwrite $this->value if $condition is FALSE? Same q for forbidIf().

8. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,438 @@
   +   * AccessResult objects solely return cache context IDs, no 'regular' strings.
   

   What does this mean?

9. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,438 @@
   +   * It's not very useful to cache individual cache results, but the interface
   

   individual access results

10. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
    @@ -0,0 +1,438 @@
    +   * Convenience method, to simply setting the "per role" cache context.
    

    Adds the 'cache_context.user.roles' cache context.

11. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
    @@ -0,0 +1,438 @@
    +   * Convenience method, to simply setting the "per user" cache context.
    

    Adds the 'cache_context.user' cache context.

12. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
    @@ -0,0 +1,438 @@
    +   * Convenience method, to simplify setting an entity's cache tag.
    

    Adds the entity's cache tag.

13. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
    @@ -0,0 +1,438 @@
    +    // If this AccessResult already is forbidden, then that already is the
    +    // conclusion. We can completely disregard $other.
    

    Does this mean order of operations will affect cache metadata (i.e., we end up with a more aggressively cleared cache than we need if the forbidden one is the argument rather than the subject)?

14. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
    @@ -0,0 +1,438 @@
    +    if ($this->isForbidden() || !$this->isAllowed()) {
    

    Since we're checking !isAllowed(), do we need the isForbidden() check?

Re #58.7: Or, what about removing the instance-level allowIf() and forbidIf()? There are few callers of them, and I don't think they'd be made worse by having their own if statement.

Got through core/lib. Still need to review core/modules and core/tests, if no one else does.

1. +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
   @@ -74,10 +75,11 @@ public function access(EntityInterface $entity, $operation, $langcode = Language
   -    if (($return = $this->processAccessHookResults($access)) === NULL) {
   +    $return = $this->processAccessHookResults($access);
   +    if (!$return->isAllowed() && !$return->isForbidden()) {
          // No module had an opinion about the access, so let's the access
   -      // handler check create access.
   -      $return = (bool) $this->checkAccess($entity, $operation, $langcode, $account);
   +      // handler check access.
   +      $return = $this->checkAccess($entity, $operation, $langcode, $account);
        }
   

   If we enter the if statement, shouldn't we still ->orIf() instead of overwrite, since the lack of module opinion might be conditional on something dynamic?

2. +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
   @@ -122,19 +128,19 @@ protected function processAccessHookResults(array $access) {
        if ($operation == 'delete' && $entity->isNew()) {
   -      return FALSE;
   +      return AccessResult::forbidden()->cacheUntilEntityChanges($entity);
        }
        if ($admin_permission = $this->entityType->getAdminPermission()) {
   -      return $account->hasPermission($admin_permission);
   +      return AccessResult::allowedIf($account->hasPermission($this->entityType->getAdminPermission()))->cachePerRole();
        }
   

   Where is it communicated that the result also depends on $entity->id()? Or is it up to the caller to know that (e.g., for menu links, not a problem, but not sure about other use cases). Same question might apply to other access checkers and their various arguments, this is just the one that caught my attention.

3. +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
   @@ -224,10 +229,11 @@ public function createAccess($entity_bundle = NULL, AccountInterface $account =
   +    if (!$return->isAllowed() && !$return->isForbidden()) {
          // No module had an opinion about the access, so let's the access
          // handler check create access.
   -      $return = (bool) $this->checkCreateAccess($account, $context, $entity_bundle);
   +      $return = $this->checkCreateAccess($account, $context, $entity_bundle);
        }
   

   Same as above re needing an ->orIf() instead of overwrite.

4. +++ b/core/lib/Drupal/Core/Menu/MenuLinkDefault.php
   @@ -94,7 +95,7 @@ public function getDescription() {
   -    return (bool) $this->staticOverride->loadOverride($this->getPluginId());
   +    return AccessResult::allowedIf($this->staticOverride->loadOverride($this->getPluginId()))->setCacheable(FALSE);
   

   Is the setCacheable(FALSE) because we don't have cache tags for non-entity config objects? If so, a @todo would be nice. Related: #2040135-4: Caches dependent on simple config are only invalidated on form submissions.

update the IS to include the actual outside API change.

To tackle the accidental boolean issue we should keep the existing methods (and return boolean), the existing access manager interface
but add a new one AccessManagerWithCacheContext which adds methods which returns the access objects. This ensures that we don't accidentaly leak information

Queued for re-testing because I cannot reproduce the 4 test failures locally.

FWIW, I get the same 4 failures when running locally via the Simpletest web UI when applying #62 on top of core commit 2191f864ab27e8457c25cbeb4e0fe2a5b644a263. I didn't try via run-tests.sh.

1. +++ b/core/modules/block/block.api.php
   @@ -152,8 +155,11 @@ function hook_block_access(\Drupal\block\Entity\Block $block, $operation, \Drupa
      if ($operation == 'view' && $block->get('plugin') == 'system_powered_by_block' && $block->get('region') != 'footer') {
   -    return FALSE;
   +    return AccessResult::forbidden();
   

   Does this need cache tags added for $block?

2. +++ b/core/modules/comment/src/CommentAccessControlHandler.php
   @@ -23,24 +24,23 @@ class CommentAccessControlHandler extends EntityAccessControlHandler {
   +      default:
   +        // No opinion.
   +        return AccessResult::create();
   

   Before the switch statement, we checked a permission, so this should be cached per role.

3. +++ b/core/modules/comment/src/Tests/CommentTranslationUITest.php
   @@ -153,7 +153,8 @@ function testTranslateLinkCommentAdminPage() {
   -    $this->assertNoLinkByHref('comment/' . $cid_untranslatable . '/translations');
   +    // @todo uncomment this, I just needed to be able to finally post this patch, no more energy for debugging
   +//    $this->assertNoLinkByHref('comment/' . $cid_untranslatable . '/translations');
   

   Time to debug this.

4. +++ b/core/modules/content_translation/src/Access/ContentTranslationManageAccessCheck.php
   @@ -86,24 +87,26 @@ public function access(Route $route, Request $request, AccountInterface $account
   +          $is_new_translation = $condition = ($source_language->getId() != $target_language->getId()
   

   Why the $condition intermediary?

5. +++ b/core/modules/field/tests/modules/field_test/field_test.field.inc
   @@ -40,14 +41,14 @@ function field_test_default_value(ContentEntityInterface $entity, FieldDefinitio
      if ($field_definition->getName() == "field_no_{$operation}_access") {
   -    return FALSE;
   +    return AccessResult::forbidden()->cacheUntilEntityChanges($items->getEntity());
      }
    
      // Only grant view access to test_view_field fields when the user has
      // 'view test_view_field content' permission.
      if ($field_definition->getName() == 'test_view_field' && $operation == 'view' && !$account->hasPermission('view test_view_field content')) {
   -    return FALSE;
   +    return AccessResult::forbidden()->cachePerRole()->cacheUntilEntityChanges($items->getEntity());
      }
    
   -  return TRUE;
   +  return AccessResult::allowed();
   

   Why add cache tags for $items->getEntity(). But, we will want cache tags for $field_definition: that can be a @todo followup though. Also, the allowed() needs to be per role too, right?

6. +++ b/core/modules/node/node.pages.inc
   @@ -37,3 +37,68 @@ function template_preprocess_node_add_list(&$variables) {
   +function node_preview(NodeInterface $node, FormStateInterface $form_state) {
   +function template_preprocess_node_preview(&$variables) {
   

   Rogue hunks from a different issue?

7. +++ b/core/modules/system/entity.api.php
   @@ -1860,13 +1860,14 @@ function hook_entity_field_access($operation, \Drupal\Core\Field\FieldDefinition
   +    $grants['node']->reset();
   

   resetAccess()

8. +++ b/core/modules/system/src/Tests/Entity/EntityViewBuilderTest.php
   @@ -116,10 +116,11 @@ public function testEntityViewBuilderCacheWithReferences() {
   -    drupal_render($build);
   -
   -    // Test that a cache entry is created.
   -    $this->assertTrue($this->container->get('cache.' . $bin)->get($cid), 'The entity render element has been cached.');
   +// @todo This causes an exception that I still need to finish debugging the root cause for. Disabled for now, to make the patch reviewable.
   +//    drupal_render($build);
   +//
   +//    // Test that a cache entry is created.
   +//    $this->assertTrue($this->container->get('cache.' . $bin)->get($cid), 'The entity render element has been cached.');
   

   Time to fix.

9. +++ b/core/modules/user/src/Access/RegisterAccessCheck.php
   @@ -21,10 +22,10 @@ class RegisterAccessCheck implements AccessInterface {
   -    return ($account->isAnonymous()) && (\Drupal::config('user.settings')->get('register') != USER_REGISTER_ADMINISTRATORS_ONLY) ? static::ALLOW : static::DENY;
   +    return AccessResult::allowedIf($account->isAnonymous() && \Drupal::config('user.settings')->get('register') != USER_REGISTER_ADMINISTRATORS_ONLY)->cachePerRole();
   

   If depending on config, then not cacheable until config has cache tags.

Issue summary should also be updated to not reference CacheabilityAffectorInterface, which isn't in this patch anymore. And it would be good to make sure the API changes section lists all interfaces affected (e.g., EntityAccessControlHandlerInterface, AccessibleInterface, AccessManagerInterface, what else?).

Thanks for your persistence on this @Wim Leers!

1. +++ b/core/lib/Drupal/Core/Block/BlockBase.php
   @@ -165,10 +166,22 @@ public function access(AccountInterface $account) {
   -    return $this->blockAccess($account);
   +    if ($this->blockAccess($account)) {
   +      $access->allow();
   +    }
   +    else {
   +      $access->forbid();
   +    }
   +    return $access;
   

   Since this is a common pattern in this patch I wonder if we can improve the DX for this now that we have a rich object to work with anyway. Maybe
   $access->allowIfEslseForbid()?

2. +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
   @@ -122,19 +128,19 @@ protected function processAccessHookResults(array $access) {
   -      return $account->hasPermission($admin_permission);
   +      return AccessResult::allowedIf($account->hasPermission($this->entityType->getAdminPermission()))->cachePerRole();
   

   This is also common in this patch. Also I think this will be one the most common use-cases in contrib, so I think we shouldn't make people ponder about cacheability when we already know that permissions are tied to roles anyway. Can we add a
   $access->allowedIfHasPermission($account, $permission) or similar which just performs the two function calls internally?

To tackle the accidental boolean issue we should keep the existing methods (and return boolean), the existing access manager interface
but add a new one AccessManagerWithCacheContext which adds methods which returns the access objects.

I disagree with this. The issue summary now lists all the different methods/functions that return an access check result. Why would we want to single out AccessManager::check()/checkNamedRoute() as following different rules than the others? I think it's cleaner for everything that returns an access check result to return an AccessResultInterface, which this patch does. Yes, that does mean that callers will need to explicitly call isAllowed(), since if ($access_result) always returns TRUE, but I think it's more likely that developers will remember to call isAllowed() if they learn that they always need to do that, rather than needing to learn when they do and when they don't.

I think the patch is RTBC other than reaching consensus on this point. @dawehner: thoughts?

@effulgentsia
Well, your argument would certainly be 100% fine in case there would be just Drupal and we would just develop for Drupal, but well, in case we would
try to write generic components, which we don't do, the code would no longer follow the rule of clean code:

 truly clean code does pretty much what you expect it to do

Yes, that does mean that callers will need to explicitly call isAllowed(), since if ($access_result) always returns TRUE, but I think it's more likely that developers will remember to call isAllowed() if they learn that they always need to do that, rather than needing to learn when they do and when they don't.

Well, let's hope developers read documentation before they write code, examples clearly show that already, right ;) ? I hope though that we still have security first
as our concept, over performance/cachablity, in case no, good luck!

+ */
+
+namespace Drupal\Core\Access;
+
+/**
+ * Interface for checking access.
+ *
+ * Note: you can check whether access is neither explicitly allowed nor
+ * explicitly forbidden:
+ *
+ * @code
+ * $no_opinion = !$access->isAllowed() && !$access->isForbidden();
+ * @endcode
+ */
+interface AccessResultInterface {

So this interface checks access, really? What about the following change:

Represents the outcome of access checking.

IMPORTANT NOTE: You have to call isAllowed() when you want to know whether someone has access. Just using
if ($access_result) would always succeed and so introduce a critical security issue.

Well, anyway, don't feel blocked on me, just want to ensure that we really don't treat some values over others.

Stop this madness now. There was a saying in a usability book (by Jef Raskin): if a control always needs to be operated do not provide that control!

If you always need to call a method then do not provide that method.

This is absolutely not acceptable and dawehner is right.

Let's say I want to do some logic based on if I have any nodes. This won't work:

if (\Drupal::entityQuery('node')->count()) {
  // There are nodes. Do something.
}
else {
  // No nodes. Do something else.
}

Because that if will always evaluate to true. Instead, I need to do:

if (\Drupal::entityQuery('node')->count()->execute()) {
  // There are nodes. Do something.
}
else {
  // No nodes. Do something else.
}

Why do I need the explicit call to execute()? Because there's something else I might want to do with a query object: execute() isn't the only method. Even though in practice, what do I usually want to do with a count query other than execute it?

Same thing here. What this issue is about is making access check results not just booleans (or tristate constants), but objects, so that callers can know more than just whether access is allowed or not, but also what that result depends on (i.e., cache contexts and tags). Unfortunately, PHP doesn't allow an object to implement a magic __toBoolean() method. Per the issue summary, there are many interfaces/methods that return an access result. Does that mean we want all of them to have a "return as boolean" and "return as object" variants? Or, can we trust that developers can learn that access results are objects on which you can call isAllowed(), just like they learned that queries are objects on which you can call execute()?

> Why do I need the explicit call to execute()? Because there's something else I might want to do with a query object

And there's nothing you can even do to the AccessResultInterface. The query object has a large amount of methods that significantly change its behavior and so it needs an execution. There is nothing like that here.

You guys long, long ago have lost any connection with reality. I am trying to drag back Drupal 8 to the ground but it's hard and if this goes in it'll be even harder.

And yet, I know there's nothing I can do. So resetting to code needs review as I know there is nothing I would say or do would change it. D8 is a lost cause. There was a brief hope when I was allowed to make it secure. Apparently that window is closed.

I hope though that we still have security first as our concept, over performance/cachablity

We need both. The most secure thing an internet user can do is unplug their computer from the internet. But we don't really tell people that they can't use the internet because there are security dangers out there. Similarly, we shouldn't have to tell people that their sites must be slow, because we're afraid to implement a performance improvement that requires developers to start dealing with an object where once they dealt with booleans, because of a fear that dealing with objects has a pathway by which it's dealt with incorrectly.

But, if we really think it's dangerous DX to return an object from a method that for some reason people expect a boolean from, then I'm fine with something like #67 where we have separate methods, or an extra parameter (e.g., $return_as_object) that defaults to FALSE. But then my question is which of our many access methods do we provide that variant on? Is there any reason to do it on AccessManager::checkNamedRoute() and not do it on Entity::access()? And if we do it on those two, which other ones do we need to add to the "important to babysit callers" list?

I see two resolutions: either #67 or won't fix the issue. Anything else results in an insecure Drupal 8. I am astounded people don't see this.

And there's nothing you can even do to the AccessResultInterface

It's not just about AccessResultInterface. It's that an object that implements AccessResultInterface can also implement other interfaces (such as CacheableInterface), so callers that receive objects can do a lot more than if only receiving a boolean.

>> I hope though that we still have security first as our concept, over performance/cachablity

> We need both.

NO WE DONT. Security is our number one concern trumping everything, including performance, usability and everything else. Drupal's history is full of these: db_select is a Drupal-only slow query builder. The form API CSRF token made AJAX hard. And so on and so on. We need to stay on this road. If we don't it's the end of Drupal and I am not kidding. What's your value proposition over Wordpress or Symfony if you are not secure?

Ok, here's my suggestion then:

Add an optional $return_as_object = FALSE parameter to:
- AccessManagerInterface::check()
- AccessManagerInterface::checkNamedRoute()
- AccessibleInterface::access()
- EntityAccessControlHandlerInterface::access()
- EntityAccessControlHandlerInterface::createAccess()
- EntityAccessControlHandlerInterface::fieldAccess()

And that's it. In other words, not the hooks, individual route access checkers, or lower level APIs like NodeGrantDatabaseStorageInterface, since the casual callers I think we're most worried about shouldn't be calling those directly, but via one of the above high-level APIs. It means each of the above implementations will need a:

return $return_as_object ? $result : $result->isAllowed();

line at the end, but that's not so bad.

@dawehner, @chx, @Wim: how does that sound?

I like that! Especially with the FALSE default... Thanks Alex!

It is certainly a worse DX but security is king.

Looks good. Let's see what catch thinks.

-        $form[$name]['#access'] = $items->access('edit')->isAllowed();
+        $form[$name]['#access'] = $items->access('edit');

I am so happy about this change. I so wish I didn't need to throw a hissy fit to get it and I am sorry I did.

Rerolled because Wim complained in another issue that this one is a pain to reroll. I like to save Wim some pain :)

Wasn't sure about this at the start, but the overall architecture makes sense now and the API itself I quite like.

Haven't got through the entire patch, few small things I noticed going through:

1. +++ b/core/lib/Drupal/Core/Access/AccessResult.php
   @@ -0,0 +1,486 @@
   +   *
   +   * It's not very useful to cache individual access results, but the interface
   +   * forces us to implement this method, so just use the default cache bin.
   +   */
   +  public function getCacheBin() {
   +    return 'default';
   +  }
   

   Should we look at splitting the cache bin method to an additional interface somewhere? This has come up before as well.

2. +++ b/core/lib/Drupal/Core/Access/AccessResultInterface.php
   @@ -0,0 +1,79 @@
   + *
   + * Note: you can check whether access is neither explicitly allowed nor
   + * explicitly forbidden:
   + *
   + * @code
   

   Not sure the neither nor is grammatically correct here. Isn't it "not explicitly allowed, or explicitly forbidden"?

3. +++ b/core/lib/Drupal/Core/Access/AccessResultInterface.php
   @@ -0,0 +1,79 @@
   +   * Combine this access result with another using OR.
   

   Looks like a copy and paste error - this is for the and method.

1. +++ b/core/modules/shortcut/src/ShortcutAccessControlHandler.php
   @@ -58,6 +59,9 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
   +    // @todo Fix this bizarre code: how can a shortcut exist without a shortcut
   +    // set? The above if-test is unnecessary.
   +    return AccessResult::create()->cacheUntilEntityChanges($entity);
   

   The @todo needs an issue

2. +++ b/core/modules/shortcut/src/ShortcutAccessControlHandler.php
   @@ -67,6 +71,9 @@ protected function checkCreateAccess(AccountInterface $account, array $context,
   +    // @todo Fix this bizarre code: how can a shortcut exist without a shortcut
   +    // set? The above if-test is unnecessary.
   +    return AccessResult::create()->cacheUntilEntityChanges($entity);
   

   $entity does not exist

I read the patch over twice once for nits and to get a feel for it and once with a security head on to ensure that everything that has changed is acceptable. Thanks @Wim Leers for your patience on IRC :)

The patch looks really good to me and the DX win of AccessResultInterface is huge. Let's get this in to unblock several other changes.

OK I'm happy with this as well now. AccessResultInterface is a good improvement in itself, then we just add the caching information on top.

Committed/pushed to 8.0.x, thanks!

While looking through the changes I noticed a few glitches and small DX issue, thus I created a quick follow-up: #2341399: Follow-up: entity.api.php documentation fixes.

+++ b/core/lib/Drupal/Core/Menu/MenuLinkBase.php
@@ -76,7 +77,7 @@ public function isExpanded() {
   public function isResettable() {
-    return FALSE;
+    return AccessResult::forbidden();
   }

#2373017: No delete link when editing a menu, only reset links