Problem/Motivation
In order to be able to cache the rendered output of views result rows, we need support for it when we render entity operation links, see the https://qa.drupal.org/pifr/test/1022293 test failure.
Steps to reproduce
- I added a new content type.
- Role X has "edit own" permissions for this content type, but no other node permissions except view published content.
- User A and User B both have Role X.
- Admin user creates two nodes of the new content type, and makes User A the author of one node, and User B the author of the other node.
- View is created to display all nodes of the new content type; the view includes the Operations Links field.
- When Admin is logged in, the operations links (Edit, Delete) are available in the view for both nodes (which is the expected behavior).
- User A logs in, and the Edit link is available in the view only for the node that has User A as author (which is the expected behavior).
- User B logs in, and the Edit link is available in the view only for the node that has User A as author, when it should be for User B as author.
Taken from #2653690: Operations links field in Views fails between users with "edit own" user permissions
Proposed resolution
Add an access
key to each entity operation which contains an AccessResult object to determine whether the user has access to the operation. Use this to apply access to the rendered link, and bubble cacheability from the AccessResult object to the link.
Remaining tasks
Patch review
Comment | File | Size | Author |
---|
Issue fork drupal-2473873
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
Fabianx CreditAttribution: Fabianx for Acquia commentedComment #2
Fabianx CreditAttribution: Fabianx for Acquia commentedAs spoken in IRC for now we can just do it like NodeViewBuilder and push the operation links (like node links) into a #post_render_cache.
Comment #3
dawehner@plach and myself worked on that a bit, first without #post_render_cache.
While doing so I realized we probably need #2487600: #access should support AccessResultInterface objects or better has to always use it
Now trying to get a #post_render_cache working, which is probably the better solution, given the cacheabilty is probably often not worth to do.
Comment #4
dawehnerjust temporary work on post_render_callback.
Comment #5
dawehnerWorked a bit more on #3 and replaced the entity operation links properly as well with access result bubbleable metadata.
On top of that, it adds support for #access being an AccessResultInterface object.
Comment #6
BerdirTagging this with contributed project blocker... file_entity tests are currently failing because of this.
I've confirmed that this fixes them, sounds like we need tests.
The problem with the test coverage in RowRenderCacheTest is that we have a single view that has separate view, edit, delete link fields *and* the operations link. It's enough for the tests to pass if *one* of them is implemented correctly. So operations look like they work right now, but they don't.. it only works because the other fields are adding the user.permissions cache context it and counts for the whole row.
Sugestion: Split up the test view into 4 different ones, test each field on a separate view.
Comment #7
dawehnerSounds like a good idea in general.
Comment #10
plachSuggestion sounds good, I was already planning to do something like that, just forgot it.
Comment #12
BerdirTried that. Splitting up the view into 4 makes the patch/test part pretty big.
The test shows that the title and operations column still dont' have the user.permissions cache context as expected. Need to look into #2335661: Outbound path & route processors must specify cacheability metadata to figure that out for the make_link option (title), didn't look into operations yet.
Also fixed a fun bug in the new access check that resulted in denying access to anything without #access. Result was an empty page for *everything*, confused me for a minute ;)
Comment #15
BerdirWe need to default link access to TRUE. While that might be uncommon, it matches the current behavior. This will hopefully fix most of the failing tests...
Comment #16
dawehnerYou could also just go with one view and 4 displays, I think this could reduce the patch size quite a bit?
Comment #17
BerdirPossible, but I'm not exactly sure how to write the test then, as we directly interact with the view object and don't render them in advance. Not quite sure how that would work, is it possible to have the same view with a different active display at the same time? Maybe cloning it and switching?
Comment #19
dawehnerYeah you should be able to just do:
Comment #20
BerdirThat doesn't fit well with how the test is structured now. We first preview the view(s), and then loop over all nodes and check the different fields. We'd need to change it to do 4/5 loops so that each field + the cache check is in a separate loop.
Comment #21
Fabianx CreditAttribution: Fabianx for Acquia commentedThe reason this still fails is that we _need_ to return the cacheable metadata when this is an object.
And strictly speaking after this change we need to return max-age = 0 when its not an object, but just 'FALSE'.
Comment #22
Fabianx CreditAttribution: Fabianx for Acquia commentedRelated issue #2495171: Block access results' cacheability metadata is not applied to the render arrays.
Comment #23
Wim LeersI think we want to move the
#access
portion of this patch be moved to #2487600: #access should support AccessResultInterface objects or better has to always use it?Comment #24
Wim LeersPossibly this bug is causing #2504663: Entity operations links tied to original entity language, ignore both views row and UI languages, but in any case it is related.
Comment #25
dawehnerSo you basically argue that we should first solve #access in all of core instead of the limited scope needed for entity operations? We could proceed here with just changing the bits which are relevant to this particular issue. How sane would that be?
Comment #26
Wim LeersNo, not arguing that. Proceeding here is fine. I think I only meant to say that the
#access
portion of this issue, which is something we need to fix regardless of this particular issue, probably makes more sense to fix in a separate issue. That's all.Comment #27
BerdirReroll, didn't try it at all yet.
Comment #29
BerdirFixing the tests.
* Fix operations to a) bubble up the cache metadata ( this might need to be fixed for #type links too, we just don't have tests for that) and b) skip inaccessible links completely. The code that was committed to HEAD renders empty list elements, and the RowRenderCacheTest explicitly checks for an empty string.
* Fixed the add menu link operation access
* Fixed test exceptions that are looking for the exact operation arrays
* the title view, despite having a link does not currently check access (as it is a path configuration), so we special case that behavior in the test. This is not the issue to fix that and we're not even sure we want it to be fixed.
Also discussed this with @plach, @dawehner and @xjm in regards to being critical or not and we think it is not, because there is no real security issue, you just might see some links you then don't have access to or you are missing links that you would have access to. So we can remove it from the must list of the cache meta issue.
(This also means I was working on a major issue, but figuring out if it is critical or not was critical :p)
Comment #30
Wim Leersberdir++
Also updated the meta: #2429287-114: [meta] Finalize the cache contexts API & DX/usage, enable a leap forward in performance.
Comment #31
dawehnerHere we merge the access metadata, but the generic case of template_preprocess_links() doesn't. Would it not make more sense to do it as part of template_preprocess_links()?
I hope we can drop it ...
As discussed this is not entirely obvious.
Comment #32
Wim LeersNW per #31.
Comment #33
Wim LeersComment #34
dawehnerLet's whether someone else is motivated to work on this particular issue ...
Comment #35
XanoI think we may need to do something like this, because
EntityInterface::access()
returnsAccessResultInterface
, which does not extendCacheableDependencyInterface
. This also means we're mixing up access and cacheability metadata, which is a smell. Instead, use acache
key for links which containsCacheableDependencyInterface
. We can easily generate those from theAccessResult
instances which are returned byEntity::access()
, and it keeps the API more self-descriptive.Comment #38
XanoThis fixes some test failures, and removes what I believe are redundant cacheability metadata merges.
Comment #40
XanoComment #44
Xano@Wim Leers: This results in per-entity cache tags being added to page cache items. On a list page with 50 entities, that means 50 additional cache tags, and the
user
context that are added. Is this what we what, or should we lazy-build the operations to keep accurate page output, but prevent ridiculously granular cache items?Comment #45
borisson_Patch didn't apply anymore, attached one does.
Comment #48
Wim LeersComment #49
borisson_Patch still applies. All the tests are very much broken though.
Comment #50
xjm#2530634: Value of last_render_text leaks into the next Dropbutton also sounds related -- the resulting behavior at seems similar, at least, though the title sounds like a different bug.
Comment #52
xjm@tim.plunkett, @dawehner, @alexpott, and I discussed this issue at DrupalCon New Orleans and agreed that it was major. It results in cached administrative views not being properly updated when access changes, which results in both missing links and inaccessible stale links. It is especially confusing because it misleads the user about access to the entities and can result in people doing inadvisable or insecure things to work around the problem.
It is not critical because there is no risk of information disclosure, just missing links or links to 403s (see #29 for earlier discussion of that).
Comment #58
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedLet's try and tackle this at DS2019!
Comment #59
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedJust a quick review of the last patch to point out some issues
We'll need to add cacheability from a access denied here too. Maybe it's best to add it into
$variables['links']
?We have to return this cacheability metadata even when access is denied and bubble it up in template_preprocess_links.
Not sure what the intention here was but we definitely don't want the user context added to every access call.
I would also suggest we scope this issue to entity operations generated from EntityListBuilder and split the other builder classes out?
Comment #60
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedSomething like this would work although using array keys like this is pretty ugly IMO, let's see what breaks.
Comment #62
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedWe need to add back some of the logic from #45 in
template_preprocess_links
for lists that aren't using views. This is currently incomplete as it causes empty<li>
elements to be rendered.Comment #63
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedWoops, missed the use statements!
Comment #65
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedHaving a bad day with this 😅 errors were from undefined index notices.
Comment #66
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedOh boy...
Comment #70
dpiSimple rerolls for 9.1 and 9.0
Comment #71
dpiComment #74
shaktikComment #75
shaktikTrying to fix the test case.
Comment #76
shaktikComment #78
shaktikFixed all test case #70 patch, Kindly check.
Comment #79
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedThat's one way to fix a test haha. I think we need to figure out why these are different and fix $expected_build.
Comment #80
cburschkaThe test operation has no cache dependencies, so all we need to add to the expected build in order to pass the test is a "permanently cacheable" designation; ie
(new CacheableMetadata())->applyTo($expectedBuild);
But maybe we want to expand test coverage by adding (and then expecting) an actual cache dependency to test that it is merged into the render array correctly.
Comment #81
cburschkaThis patch adds a real cache tag to the operation and checks that it passes through into the final render array.
Comment #82
mxr576LGTM
Comment #83
xjmGreat find. I think since this is resolving a major cache invalidation/access bug with no other disruptive changes, it's potentially backportable to 8.9.x.
In addition to the required unit test issues, I'd suggest a functional test for this (maybe a JS test in this case), since the bug is at a functional level. It should theoretically be straightforward to write a test that fails on HEAD and passes when combined with the fix. I'd also want the test to make assertions about the expected access before and after cache invalidation to prove that we're not introducing an access bypass by fixing this. Thoughts?
Comment #84
mxr576+1 for Functional test coverage
Comment #85
Berdirif access is an AccessResultObject, we could also consider its cacheability metadata directly, that would make the implementations a lot simpler?
Concerned that changing this could break things. In multiple ways.
One one side, we have the problem that \Drupal\Core\Entity\EntityListBuilder::getOperations() is a public API, it may or may not be used together with #links. Now we expect it to be used with something that respects the new access key. I didn't find anything, so this is possibly unlikely.
On the other side, we have the problem that there are a lot of custom operations, and as a result of this, we implicitly make them cacheable and might introduce bugs.
This patch only updates the default method, but there are tons of subclasses implementing this. Just looking at a few:
\Drupal\filter\FilterFormatListBuilder::getDefaultOperations() checks for the default format, separate config entity.
\Drupal\Core\Config\Entity\ConfigEntityListBuilder::getDefaultOperations() checks the entity status, so would need top update if the entity changes.
These and most are config entities, so they are unlikely to be cached, but there's also for example \Drupal\webform\WebformSubmissionListBuilder::getDefaultOperations in contrib, with lots of dynamic conditions.
This is annoying, I know :)
One option might be to treat a non-existing cache key as uncacheable, to keep the existing behavior. So every operation needs to opt-in to being cacheable. They could return an empty object to indicate that they are safe, like \Drupal\Core\Cache\Context\CacheContextInterface::getCacheableMetadata.
Comment #86
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commented@Berdir yeah it is annoying, back in #59 I suggested stripping this issue back to just the default class to keep the patch size manageable the idea was to post follow ups to address the other subclasses. Fixing caching bugs always has the opportunity to break things but I'm not really sure what the best solution is here.
I like your idea of returning uncacheable, I'm just not entirely sure what that would look like - maybe I need more coffee first :P
Comment #87
kim.pepperComment #88
SimeonKesmev CreditAttribution: SimeonKesmev commentedI've made some alterations:
1. Made operations caching per user by default.
2. Simplified the data by adding only 'access' objects to operations that include the caching information in themselves.
3. Made patches for 8.9 and 9.x.x
Comment #90
SimeonKesmev CreditAttribution: SimeonKesmev commentedHere are fixes for the patches. Can't run the full tests locally so fingers crossed this time.
Comment #91
SimeonKesmev CreditAttribution: SimeonKesmev commentedMistake in the 9.x.x version of the patch.
Comment #92
SimeonKesmev CreditAttribution: SimeonKesmev commentedUpdates of the tests.
Comment #93
vsujeetkumar CreditAttribution: vsujeetkumar at Srijan | A Material+ Company for Drupal India Association commented@SimeonKesmev The naming convention of your patch file is incorrect, Commonly we use like issue number and then comment number.
EX: [issue-number]-[comment-number].patch
Also required interdiff, It will help to understand the changes you have done. Create Interdiff
Comment #94
SimeonKesmev CreditAttribution: SimeonKesmev commentedHi @vsujeetkumar, here's the proper naming and the interdiff.
Comment #95
Kristen PolThanks for the updates. Patches still both apply cleanly.
I've reviewed the code but this is quite complex so I'll defer to others with more insight there. I didn't notice any nitpicks at least :)
Adding some more tags because this issue really needs more tags
</silliness>
.Comment #96
quietone CreditAttribution: quietone at PreviousNext commentedI skimmed the comments and noticed that a Functional test was asked for in #83, setting to NW for that.
The Issue Summary should explain the proposed resolution and list the remaining tasks.
And adding some more tags!
Comment #97
kostyashupenkoReroll against 9.3.x is done
For 8.9.x reroll was not needed.
Comment #99
quietone CreditAttribution: quietone at PreviousNext commentedI have closed #3012036: Views entity operations field does not contain required cache metadata and #2653690: Operations links field in Views fails between users with "edit own" user permissions as duplicates.
I was testing #2653690: Operations links field in Views fails between users with "edit own" user permissions as part of bug smash triage and was able to confirm the problem as stated in the IS over there is reproducible. I then found this issue and applied the patch and retested. And it fixed the problem. The views for the two users show the operation link on the correct content.
Comment #100
quietone CreditAttribution: quietone at PreviousNext commentedThe proposed resolution section of the IS needs to be updated.
Comment #102
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedMoving to an MR, rebased against 10.1.x. First pushed a failing functional test and will follow with the rest of the patch. Also updated the IS.
Comment #103
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #104
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedMissed changing the version.
Comment #107
smustgrave CreditAttribution: smustgrave at Mobomo commentedHiding files as fix has been moved to MR 3556
Moving to NW as there appears to be 1 failure in it though.
Did not review yet
Comment #108
TwoDWe already have cache metadata for the operations indirectly through their URLs, but most list builders [and the Views Operations field] simply throw it away after evaluating the access condition (at operations build time), so the context of when an operation could be valid or not is lost.
I think this is what the failing test is actually hinting about, a responsibility creep. To fix the failing test I would have assumed the access control handler for the "disable" operation was not returning the proper [user] context. However, adding it there has no effect at all on whether the test passes or fails since that data is thrown away by the list builder when it check if access is currently allowed.
(We try to avoid early rendering, maybe we should also try to avoid early access evaluation in similar situations?)
I ran into this when debugging specifically why our cache contexts added to custom entity access control handlers seemed to have odd effects despite the value of the context(s) we included was different for different users, even after applying the latest patch - because contrib's entity module's list builder has the same flaw as core's list builders currently do.
If the list builders (and Views' Operations field) always added the operations instead of evaluating access at the point of building the operation links, and the links preprocess template hook performs the actual access evaluation (storing the result in
$link['#access']
and merging in the cache metadatada into$link['#cache']
), we'd be all good.This would keep access control handlers as the ones responsible for adding the correct access related cache metadata to their responses instead of also having list builders juggle it around, and relieve them of even having to do the operations access checks they do now - they would not have to care about it all about which operations are valid or not.
For now I've had to resort to always include a custom cache context (which varies with anything that could affect access for the different groups of users we have) in the links preprocess hook, otherwise the operations access in the lists/views we have would not get rebuilt at all. If it worked as described above (and entity module always included all of its operations) I would not have had to do anything in our site specific code because the cache metadata from the access handler would have been propagated there instead.
I'll take a stab at refactoring the branch to show what I mean.
Comment #111
TwoDNow that all tests finally pass, I should write some notes on the changes outside the implementation of #108 itself.
There were at least two major issues discovered while working on this which could potentially be extracted and handled on their own.
I tried searching the issue queue for existing patches and came up blank, but maybe someone knows if they have already been covered elsewhere.
The renderer throws away cache metadata from access results if they are not allowed. This, obviously, prevents something like #108 from working; we need that metadata to be bubbled the same was as if there was a cache hit/miss when access is granted. Without this the new
::testEntityOperationsCacheability()
fails because theuser
cache context is dropped.(Added
null
to the annotated return types of::getCurrentRenderContext()
as that was missing.)The content translation manager sometimes looks for existing translations on the wrong revision.
This was exposed by
ContentTranslationRevisionTranslationDeletionTest::testOverview()
failing because the 'Add' operation was now missing for Italian on line 142. They still had access to the translate form if the current interface language was either Italian or French, but not in English. While the Add operation [correctly?] points to the Italian version of the translation form it being added depended on an access check performed on the "active" revision - which already has an Italian translation - so the link no longer show up because the URL is inaccessible.The test performs these steps:
(This is iteration 2 of the test, with the editor role. Iteration 1 passes because access checks are bypassed.)
Verify translations can be added.
Verify the draft can not be deleted because it's unpublished.
Verify it can be deleted.
Verify Italian translation still exists.
Verify the 'Add' operation for Italian reappears. This failed
Verify the Italian translation does not reappear.
Verify it can be deleted.
Verify it can not be deleted.
Verify it can be deleted again.
Verify it can be added again.
When the Italian translation is deleted in step 5 the English draft "Test 2.4 EN" is the latest revision and no longer has a translation. The access manager gets its argument from the route match for the translation route, which has
load_latest_revision = TRUE
, but it loads the latest "active" revision - which the entity repository says is the last one which was translation affected.The last English revision which was translation affected (titled "Test 2.1 EN") still had "Test 2.3 IT" as a translation, as the deletion created a new revision without any translations affected.
ContentTranslationController::add()
deals with this by explicitly loading the latest revision, so we can do the same thing in the translation access control manager and it correctly sees that there is no Italian translation there and allows the 'Add' operation.The controller does however cause a similar issue elsewhere by adding the translation to the entity it loads (after the access control manager has allowed the route). If you have the language switcher block enabled the links there are now access checked via the same manager, and it now sees the newly added translation (which isn't considered "new" since an Italian translation did exist earlier) and prevents the links from showing.
Adding a
clone
to the controller prevents polluting the entity instance in the context, and the subsequent access checks then see the true "current" state of the entity and lets the language switcher links show.Other changes made to make tests pass include adding
_access: 'TRUE'
to the<current>
route, which caused a problem inCommentNewIndicatorTest<code> because <code>CommentLinkBuilder
uses<current>
for the "comment-new-comments" hidden jump link and renders it as a link list.I can't think of any reason why this would not be safe off the top of my head, but there's also no other test which directly depends on it it being either allowed or denied.
A few places in
FunctionsTest
had similar issues with the access checks but some routes could be switched to existing ones with correct access requirements or replaced with a new one.Comment #112
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #113
catchSplitting those out sounds good and nice one tracking them down!
Comment #114
TwoDThanks, working on that now.
Do you know what's up with the bot? This is my first time I see it so trying to figure out what it's trying to tell me.
The patch applies fine against 11.1.x which it wants to merge into, but I guess it's testing against 11.x?
Comment #115
TwoDThis now depends on #3374234: Content translation access manager may use the wrong revision and #3374253: The renderer throws away cache metadata from access result if it is not allowed.
Comment #116
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedI've rebased the MR onto 11.x, hopefully it went well 🤞
Comment #117
jigariusJust tested it to be working fine with Drupal 10.0.9.
Comment #118
jigariusAfter leaving comment #117, I ran into a new issue. There seems to be a permission anomaly for certain operations. I am marking this as needs work.
For example: With the changes proposed in the merge request at this point, I stop seeing the "Masquerade" operation for user entities even though I'm logged in as User 1. As soon as a I remove the patch, I start seeing it again. Additionally, I implemented a hook_entity_operation() in a custom module and the patch makes that custom operation disappear as well. Removing the patch brings it back.
Comment #119
TwoDYes, this will need some more rebase work once the issues mentioned in #115 are done.
The changes to the Renderer have been committed to the 11.x branch, but not the 10.x
or 10.1.x branches(now committed to 10.1), so if you are using D10 you are likely missing the corresponding change from that issue - which is likely to cause problems like those you describe as cache metadata is lost in some situations.Comment #120
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedIt'd be good to get some steps to reproduce #118 or the sample code for the custom operation. We are running this patch with many custom operations and all work as intended.
Comment #121
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedI just debugged this and it's in fact correct. The masquerade operation's URL route is
entity.user.masquerade
That route has the
_csrf_token
requirement. That gets removed by thearray_diff
in AccessManager::check because there is no request, which the csrf_token requirement needs.Comment #122
thefancywizard CreditAttribution: thefancywizard at Slalom commentedI created a 10.1.x-compatible patch from the merge request changes if anyone is in need.
Comment #123
acbramley CreditAttribution: acbramley at PreviousNext for Service NSW commentedHiding patches to avoid confusion.
Comment #124
smustgrave CreditAttribution: smustgrave at Mobomo commentedAppears to have gone through a few rounds of reviews
All threads appear to have been addressed in the MR. Took a look at the MR and nothing stands out. But seems like a large change so will wait to see if anyone else chimes in.
Comment #125
thursday_bw CreditAttribution: thursday_bw as a volunteer commented#117 set this to reviewed and tested by the community.
#118 re-set this to needs work with a vague bug report.
#121 spoke to the bug report and reported it as correct (meaning that 'works as expected' I believe).
Therefore setting this back to 'Reviewed and tested by the community'.
I have done some testing and can confirm that MR3556 as of 14 Jan 2024 resolves the entity operations problems reported on this issue, and also the username issues reported on Incorrect user linked on content page when switching users.
Comment #126
bircherAttaching also a patch for Drupal 10.2.x
Comment #127
mxr576Checked the latest state of MR, also RTBC++.
Comment #128
larowlanLeft some minor comments on the MR
#85 asks the same question about sub-classes in contrib/custom code - I think we need an CR for that.
Did we get to the bottom of #121?