Problem/Motivation
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#9 | interdiff.txt | 4.15 KB | dawehner |
#9 | 2551037-9.patch | 24.42 KB | dawehner |
#5 | interdiff.txt | 8.37 KB | dawehner |
#5 | 2551037-5.patch | 23.13 KB | dawehner |
#2 | 2551037-2.patch | 16.04 KB | dawehner |
Comments
Comment #2
dawehnerThis is a first start.
Comment #3
Wim Leersdawehner++
Comment #5
dawehnerSome work on it.¬
Comment #7
Wim LeersThis looks great already.
Nice :)
:)
This can use other complex cases (such as entity/field access) as examples to follow.
Hrm, isn't this technically then dependent on the View's configuration, and shouldn't it therefore add the View as a cacheable dependency?
Similar remark for all other places that use
$this->options
.Comment #8
Wim LeersI think this issue needs to be critical. Without this, HEAD may for example end up render caching a view across all users, even if access was only granted to a specific user (because the cacheability metadata of the used Views access plugins does not bubble up, hence the necessary cache contexts are missing).
Comment #9
dawehnerWell, do we need to take that into account for $access or isn't all the other cache tags which are exposed with a view already good enough?
Comment #10
Wim LeersYeah, that's why I said
. In practice, it won't make a big difference because of what you said.Except… for
ViewsBlock
should — just like any other block — actually do this access checking inBlockPluginInterface::access()
. That's the correct semantical thing to do. If/when we do that, this will actually matter, because access to the block does depend on the underlying view's configuration.Comment #12
dawehnerDo we cache the result of the access() call?
Comment #13
BerdirWe don't cache an access call directly, but we might be caching a whole page that contains blocks and therefore need to be aware of their access cacheability.
For example with smartcache or eventually also with page_manager.
Comment #14
Wim Leers#2464427-203: Replace CacheablePluginInterface with CacheableDependencyInterface found good reasons to still do this:
Comment #15
BerdirSo this API change won't be possible anymore.
But I think we can at least get the cacheability metadata of the used access plugin, something like this above the actual access check:
Also, views access checks actually are render-cached, atleast for rest displays.
Comment #16
dawehnerDamnit, because well, it feels like this should be better made as a runtime level operation.
Comment #17
xjmComment #19
Mile23core/modules/user/src/Tests/Views/AccessRoleTest.php contains a @todo about this issue, which doesn't seem to be addressed in #9.
Comment #20
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI don't see a pathway to that, at least not any more (maybe there was when #8 was written). Each access plugin can/should implement CacheableDependencyInterface, and if it does so, then that makes it into the cacheability information of the display and its renderings. Therefore, removing the "security" tag from this issue.
However, this issue might still make sense as a security improvement / extra protection for cases where a contrib/custom access plugin fails to implement its own CacheableDependencyInterface correctly. Tentatively tagging with "Security improvements" accordingly, but I'm demoting this to Normal priority until a case can be made (via an issue summary update) for why such an improvement should be higher priority than that.
Comment #21
dawehnerAs long we have this statement
the metadata is not there, after checking access ... Plugins can implement that plugin, but well, whatever, we ignore it.
Comment #22
xjmSo I think this is still major, just it is not a critical security issue.
Comment #27
larowlanSo now we've got to do this with a BC shim
I guess we can introduce a new interface CacheabilityMetadataAwareAccessPlugin with a new method accessWithCacheability or something
And then in the display we can juggle based on instanceof, triggering an error if something didn't return cacheability and we had to call the old access method.
And in all the existing access methods, trigger error.
And then similar changes in the displays.
Its a long road, but I think we can do it with deprecations and BC