Problem/Motivation
Removing the "access content" permission from anonymous users, and having any block with a path condition will cause a fatal error on the homepage. This happens because of the following code in Drupal\system\Plugin\Condition\RequestPath::evaluate().
// Compare the lowercase path alias (if any) and internal path.
$path = rtrim($this->currentPath->getPath($request), '/');
$path_alias = Unicode::strtolower($this->aliasManager->getAliasByPath($path));
For the anonymous user, when they don't have access to the homepage, currentPath is set to "/". That makes sense. Unfortunately, the rtrim() removes the / and passes an empty string to AliasManagerInterface::getAliasByPath(). This causes a fatal error and everything comes to a screeching halt.
Steps to reproduce
- Remove the "View published content (access content)" permission from the anonymous user
- Set the homepage to any path that requires that permission (eg: /node)
- Create and place a block with any request path condition
- Visit the homepage as an anonymous user
Proposed resolution
Set the path to "/" after the rtrim() if it is an empty string. It's expected behavior for AliasManagerInterface::getAliasByPath() to throw an exception if the path doesn't start with a slash, so the responsibility is on the RequestPath condition plugin.
Remaining tasks
Review the patch.
User interface changes
None
API changes
None
Data model changes
None
Comment | File | Size | Author |
---|---|---|---|
#2 | 2712581-block_request_path_causes_fatal_on_homepage.patch | 871 bytes | rbayliss |
Comments
Comment #2
rbayliss CreditAttribution: rbayliss at Last Call Media commentedComment #3
codexmas CreditAttribution: codexmas at Acquia commentedI have encountered the same issue and can validate that your patch fixes the issue.
My patch is apparently not digestible, deferring to yours.
Comment #5
codexmas CreditAttribution: codexmas at Acquia commentedPatch tested and works
Comment #6
catchWe should rtrim first, then just replace an empty string with a forward slash if there is one since that's the much less common case.
Also this needs test coverage.
And bumping to major - while it's not particularly easy to run into this, it's possible to configure yourself into a fatal error from the UI which is not good.
Comment #7
rbayliss CreditAttribution: rbayliss at Last Call Media commentedAppears to have been fixed in #2708629: \Drupal\system\Plugin\Condition\RequestPath::evaluate() fails if the current path is '/'.