As mentioned by andypost on #1938390-62: Convert contact_site_page and contact_person_page to a new-style Controller, there is no access to _account on 403 pages.

The reason for that is, that ExceptionListener creates a new request without the previous _account attribute. This though causes a problem as on our 403/404 pages, we render links blocks, so we need to check access.

Proposed solution

Replace the symfony event listener with one taking care about _account and potentially other internal values.

CommentFileSizeAuthor
#15 routing-2057607-15.patch8.43 KByanniboi
#15 interdiff-11-15.txt614 bytesyanniboi
#11 routing-2057607-11.patch8.11 KBdawehner
#7 drupal-2057607-7.patch4.45 KBdawehner
#5 2057607.patch3.08 KBdawehner
#4 2057607-exception-user-4.patch2.26 KBandypost
#1 2057607-exception-user-1.patch3.95 KBandypost

Comments

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Active » Needs review
StatusFileSize
new 2057607-exception-user-1.patch3.95 KB

Suppose both changes are needed but no idea about tests

Status: Needs review » Needs work

The last submitted patch, 2057607-exception-user-1.patch, failed testing.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review 
+++ b/core/lib/Drupal/Core/Controller/ExceptionController.phpundefined
@@ -92,6 +92,7 @@ public function on403Html(FlattenException $exception, Request $request) {
+      $subrequest->attributes->set('_account', $request->attributes->get('_account'));

@@ -165,6 +166,7 @@ public function on404Html(FlattenException $exception, Request $request) {
+      $subrequest->attributes->set('_account', $request->attributes->get('_account'));

As everything with an underscore is kind of special (_account, _system_path) i am wondering whether we should copy all of them.

andypost’s picture

andypost
he/him
Primary language Russian
commented
StatusFileSize
new 2057607-exception-user-4.patch2.26 KB

proper patch, previous was on top of #1938390-67: Convert contact_site_page and contact_person_page to a new-style Controller + debug

do we really need to patch all sub|request creation places to properly pass the account or need same clone method?

dawehner’s picture

dawehner
Primary language German
commented
StatusFileSize
new 2057607.patch3.08 KB

Just a rough patch so other people can work on it.

Status: Needs review » Needs work

The last submitted patch, 2057607.patch, failed testing.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Needs review
StatusFileSize
new drupal-2057607-7.patch4.45 KB

Let's combine them.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Issue tags: +Needs tests

new it needs tests, no idea about unit tests

dawehner’s picture

dawehner
Primary language German
commented
Issue tags: +WSCCI

Adding tag. I will work on some tests

dawehner’s picture

dawehner
Primary language German
commented

Opened a pull request to make it easier to add additonal parameters, see https://github.com/symfony/symfony/pull/8716

dawehner’s picture

dawehner
Primary language German
commented
StatusFileSize
new routing-2057607-11.patch8.11 KB

Here is a test.
For some odd reason I had to hack the error log in order to not fail due to a thrown exception.

danylevskyi’s picture

danylevskyi
Location Myrhorod / Ukraine
commented

I think the patch #2061907: Remove calls to deprecated global $user in shortcut module depends on this issue.

dawehner’s picture

dawehner
Primary language German
commented

See #2062151: Create a current user service to ensure that current account is always available

Status: Needs review » Needs work

The last submitted patch, routing-2057607-11.patch, failed testing.

yanniboi’s picture

yanniboi commented
Status: Needs work » Needs review
StatusFileSize
new interdiff-11-15.txt614 bytes
new routing-2057607-15.patch8.43 KB

'Symfony\Component\HttpKernel\Exception\FlattenException' is a deprecated class, so I replaced it with 'Symfony\Component\Debug\Exception\FlattenException' to get rid of most of the test fails.

disasm’s picture

disasm commented

#15: routing-2057607-15.patch queued for re-testing.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Needs work

The approach used here can't work anymore, as we should rather rely on the current_user service.

h3rj4n’s picture

h3rj4n commented
Status: Needs work » Needs review

This issue is out of scope. The parent issue is already (#1938390) continued without the fix in this issue. The part that's addressed here is already fixed.

I also tested it and I don't get a exception on 403 pages. I enabled the contact module. Create a new user with no rights for the contact form and try to access the contact form as this user. I got a clean 403 page, without any errors or exceptions.

I set it to 'needs review' because I'm not confident enough to close it.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Fixed

The current_user service should totally solve the problem described in the issue, so we can close this now.

Thanks for bringing that issue up again.

Automatically closed -- issue fixed for 2 weeks with no activity.