Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Seriously, why does the NodeGrantDatabaseStorage change regular node access (not queries), but only when there are hook implementations. This means that any website where Group was the only module implementing hook_node_grants() will now get different results because we removed said hook.
Working on a patch with a fix for all grouped entity types + ample testing that proves access is properly checked for grouped entities.
Comment | File | Size | Author |
---|---|---|---|
#2 | group-3160329-2.patch | 120.95 KB | kristiaanvandeneynde |
|
Comments
Comment #2
kristiaanvandeneyndeComment #4
kristiaanvandeneyndeCritical enough to warrant an 8.x-1.1 release ASAP
Comment #5
pagaille CreditAttribution: pagaille commentedPatch in #2 is trying to create a tests folder outside of the web folder, see screenshot. I re-rolled the patch without the wandering test files.
Comment #6
kristiaanvandeneyndeNo it doesn't? It tested and applied cleanly.
Comment #7
pagaille CreditAttribution: pagaille commentedMust be something funky in my environment. If I apply the patch in #2 to the 1.0 release, the two new Kernel tests are placed outside of the web folder. But downloading the latest dev release has them in the correct folder under the group module folder.
Comment #8
Kasey_MK CreditAttribution: Kasey_MK commentedPatch #2 works for me locally, but when I deploy to my dev environment, I get a WSOD:
"Fatal error: Cannot declare class Drupal\group_test_plugin\Entity\EntityTestWithOwner, because the name is already in use in /app/web/modules/contrib/group/src/Entity/EntityTestWithOwner.php on line 35"
Group 1.0.0
Drupal 8.9.2
Ideas?
Comment #9
John Pitcairn CreditAttribution: John Pitcairn commentedApplying the patch at #2 to Group 1.0.0 via composer-patches fails. Doing so creates a directory "b" in the root of the group module directory and appears to misplace other items. The patch will apply manually with
git apply
from the module root, albeit adding trailing whitespace errors on 4 lines.Comment #10
John Pitcairn CreditAttribution: John Pitcairn commentedContinuing from [#3159755]:
On my local dev, after composer-updating from 1.0-rc5 to 1.0.0, applying the patch (via git as above) and running the db updates, I still get the same results. Nodes that were restricted are now public.
Attempting to replicate on simplytest.me:
Install with group 8.x-1.0.0 and the patch at
https://www.drupal.org/files/issues/2020-07-20/group-3160329-2.patch
Installation fails, with the patch failing to apply, and the error noted at comment #8 when enabling modules.
[...]
Comment #11
kristiaanvandeneyndeSimplytest.me allows you to use the dev version. Try that.
Comment #12
John Pitcairn CreditAttribution: John Pitcairn commentedThanks. Dev version works as expected on simplytest.me. Grouped pages are restricted by group access for entity view and views query. I will see if I can successfully upgrade from 1.0-rc5 to dev ;-)
Will you push a 1.1 release soon? Seems like this is a fairly nasty bug that will hit site builders who upgrade production without testing, expecting that a release candidate to 1.0 update should not introduce major changes and a new dependency.
Comment #13
John Pitcairn CreditAttribution: John Pitcairn commentedHmm ... but if I upgrade my site from rc5 to 1.x-dev:
/node/xxx
if the user does not have appropriate group permissions.Investigating ... (later) ... I can't reproduce the above when upgrading a clean install from 1.0-rc5 to 1.x-dev. Rats. I'll continue to investigate why my existing site might be problematic to upgrade and report back here. Does anyone else have the same problem?
Edit: started a new issue to deal with that: #3161490: Views node query access restrictions differ after upgrade from rc5 to 1.1
Comment #14
dokumori CreditAttribution: dokumori commentedUnpublishing as this is a security issue (https://security.drupal.org/node/173176)