Problem/Motivation

UserAccessControlHandler::checkAccess() has this code:

else if ($account->id() == $entity->id()) {
  return AccessResult::allowed()->cachePerUser();
}
...
return AccessResult::neutral();

The problem with this is that the cachePerUser() is not added when there is no match (checking whether user1 can view user2's profile), which allows the neutral() result to be cached across users, but then the cache can be primed with user1, and then user2 can't view his own profile.

Proposed resolution

Use the allowedIf() syntax which allows the ->cachePerUser(); to be associated in either case. This is the same approach as is done for the 'update' and 'delete' operations.

Remaining tasks

None.

User interface changes

None.

API changes

None.

Data model changes

None.

CommentFileSizeAuthor
#21 2614230-21.patch1.66 KB_utsavsharma
#21 interdiff_18-21.txt826 bytes_utsavsharma
#18 2614230-18.patch1.65 KBGauravvvv
#3 interdiff.txt685 byteseffulgentsia
#3 user-access-control-3.patch1.63 KBeffulgentsia
user-access-control.patch850 byteseffulgentsia

Issue fork drupal-2614230

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

effulgentsia created an issue. See original summary.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers as a volunteer commented

Looks correct! Great catch.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented
FileSize
user-access-control-3.patch1.63 KB
interdiff.txt685 bytes

I expected the original patch to have the same 2 test failures as in #2558599-84: Automatically assign user cache contexts/tags when using current_user service, but it didn't. However, this one does. I think this means we need to fix the tests to expect the 'user' cache context, or else have a code flow that doesn't need it.

Status: Needs review » Needs work

The last submitted patch, 3: user-access-control-3.patch, failed testing.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Issue tags: +Bug Smash Initiative

Still valid, sent the patch for a re-test since it looks like it'd still apply, we'll still need to update those tests if it's the same two test failures.

Gauravvvv’s picture

Gauravvvv CreditAttribution: Gauravvvv at Axelerant for Drupal India Association commented
Status: Needs work » Needs review
FileSize
2614230-18.patch1.65 KB

I have attached a patch for 11.x. Patch #3, does not apply to 11.x so not adding interdiff.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Version: 9.5.x-dev » 11.x-dev
Status: Needs review » Needs work
Issue tags: +Needs tests

Still need a test showing the bug.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented 
+++ b/core/modules/user/src/UserAccessControlHandler.php
+++ b/core/modules/user/src/UserAccessControlHandler.php
@@ -56,7 +56,7 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter

@@ -56,7 +56,7 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
         }
         // Users can view own profiles at all times.
         elseif ($account->id() == $entity->id()) {
-          return AccessResult::allowed()->cachePerUser();
+          return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser();
         }

The code flow used to be a switch, but is now an if/elseif, so I don't think this will work the same way at all - it's the final else that needs the user cache content adding, and the condition added here will always be true.

_utsavsharma’s picture

_utsavsharma CreditAttribution: _utsavsharma at OpenSense Labs for DrupalFit commented
FileSize
interdiff_18-21.txt826 bytes
2614230-21.patch1.66 KB

Tried to address the failures in #18.

Aditi Saraf made their first commit to this issue’s fork.