When a user edits a entity/node that's shared across multiple domains, it ends up referencing only their domain(s)

This is a bug, and a nice report. Thank you.

The editor in this case should not have the ability to destroy domain assignments that they cannot access.

In Drupal 7 and below, we set a hidden field value to store that data and ensure it was not destroyed, and it looks like that is necessary again.

For reference, I had to do something similar here -- https://github.com/agentrickard/workbench_access/blob/8.x-1.x/workbench_...

Hi @agentrickard,

I'm facing the same problem. Can you please tell me, if this issue is going to fix in next release?

Yes. For now, you have to give everyone the 'Publish to any domain' permission as a workaround.

Here is a very quick, totally untested patch.

Better patch that seems to be working.

However, if the user cannot "Send to all affiliates" if that option is not checked, I am getting access denied to the node, which doesn't make sense.

This patch should fix the problem, but it still needs automated tests.

Please give it a try.

Note that we may have to do something similar for Domain Source.

The latest code for this is at https://github.com/agentrickard/domain/pull/283

Updated patch.

Thanks ken!

Patch #9 applied successfully against Domain Access 8.x-1.0-alpha4 release. The test results are as follow:

1) When node is assigned to single domain =>
-- Assigned Domain Source option is working as expected, do not get overridden.
-- Assigned Domain Access option is working as expected, do not get overridden.
-- Domain can be easily unassigned as well.

2) When node is assigned to multiple domains =>
-- Assigned Domain Source option is not working as expected, assigned source gets overridden on saving node from other domain.
-- Assigned Domain Access option is working as expected, do not get overridden.
-- Domain can be easily unassigned as well.

3) Nodes are easily accessible from other assigned Domains even when "Send to all affiliates" is not checked.

4) Links for nodes in Content Overview page and Views tabs (on node single views)
-- Currently links for the Node view/edit links are having base url as of assigned Domain Source even when viewed from other assigned valid Domain, should not it be the base url of current viewed Domain?
Or it is adapted like this intentionally ?

Over all the patch works fine so far except the assigned Domain Source Overridden case for multiple domains.

There are some interesting issues here, in order of the report above:

1) The base use-case works fine. Great.

2) The handler for Domain Source hidden options hasn't been written yet. If that is set to a domain the user cannot access, should the user be able to change it?

3) I assume you mean on the node/X page, and not in lists? This case is tough. If a user can edit / delete nodes assigned to their domains, and that node is displayed in a different context, you can't access edit/delete because those are denied if View is denied.

This comes from logic that I just changed, but I could restore the old behavior -- you must be on the proper domain in order to view/edit/delete. Fixing Domain Source handling would be a prerequisite of this.

4) If using Domain Source, all canonical links should be rewritten, regardless of context. Links should only go to currently viewed domain if Domain Source is not set.

Hey Ken, please find my reviews as below:

2.a) If User does not have access to the assigned Domain Source record then user should not be able to change it.
2.b) If User have the access for the assigned domain record then the user should able to change it to "none" or other domains (only if he has accesses).

3) I only meant the other problem that you mentioned in comment#6. Now there is no need to check "Send to all affiliates" options, it all works fine.

4) IMO the links other than canonical urls should go to currently viewed domain whether the Domain Source is assigned or not.

OK, good on issue #3, that's the fix I just put in place.

On #4, that would be a change in behavior. Drupal 8 now defines canonical links per entity -- generally View, Edit, Delete -- and those all get rewritten by Domain Source. That is by design and I don't think it should change.

What I haven't examined in Domain Source in D8 is the "none" behavior, which essentially should do what you describe.

Here's a revised version that should account for both Domain Access and Domain Source.

This patch introduces new services, so after applying this patch, you must rebuild the container using drush cr or a full cache clear.

To test (from #2818963: regular user not able to add content to the domain assigned):

* When a user cannot use the domain element at all, are the proper default field and node access values saved?

The use-case in #15 works as expected.

This should be fixed in Alpha6.

This patch seems no more applicable.
Could you update this patch or integrate it directly into DEV branch ?
Many thanks

I'm quite disappointed.
Parts of this patch are already applied to the DEV branch, some other parts are not applied or different.
I'm not able to update this patch without any risky drawback.

nevermind