Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Setting up a simple access checker for the first time. Getting "access denied" even if I do a simple return AccessResult::allowed();
My log says:
Path: /reviews/42/1. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 117 of /afs/umich.edu/group/g/grahamsi/vhosts/d8/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).
It looks like it is failing this in AccessAwareRouter:
if ($access_result instanceof CacheableDependencyInterface && $request->isMethodCacheable()) {
throw new CacheableAccessDeniedHttpException($access_result, $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : NULL);
}
However, I do not know what this means or how to get around it. Any help is appreciated.
Issue fork drupal-3166208
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
compare
Comments
Comment #2
dmudie commentedI tracked this down to non-matching requirement name in the route and the "applies_to" tag in the service. Not the best error message and I still don't understand but oh well.
Comment #3
berdirThis isn't *because* CacheableDependencyInterface. It just checks that to return a cacheable access denied response as opposed to a non-cacheable one. That it is access denied happens earlier. Closing this as it is a support request and you figured it out. Agreed that finding a problem like that can be awkward. Feel free to create an issue try handle that better, but I assume you just hit the case when no access check applied and then it defaults to denying access without a reason. Maybe just adding a reason "No access check applied or something could help.
Comment #5
q11q11 commentedWhere should I look into if I'm getting exactly same "access denied", in the same /core/lib/Drupal/Core/Routing/AccessAwareRouter.php:117 of D8.9.14, while trying to access /admin/modules/update as user/1 ?
UPD.
It came out that "$settings['allow_authorize_operations'] = FALSE;" in settings.php instantly denied access to /admin/modules/update w/o considering any other permissions.
Comment #7
snehi commentedIs there any solution for the same, i am also getting the same error.
Comment #8
bs8250 commentedI found a workaround by enabling "Bypass content access control" permissions in /admin/people/permissions
Comment #9
wranvaud commentedIn my case I had to tweak the routing.yml file and had success using the _permission: 'edit entitites' property rather than _entity_access.
Comment #10
thirstysix commentedComment #11
castor-designs commentedWhy is this fixed? I have the exact same problem. #8 did not work for me and #9 neither. Which routing.yml did you edit anyway? there is no singular routing,yml file in drupal 9 anyways but many.
Comment #12
vortexcentrum commentedD10.0.1 (or might be 10.0.2 - I did a Composer update but Drupal is still reporting the previous version).
I have cleared Drupal, server and local caches often.
NO anonymous access to any pages. Access Denied.
Path: /publications/web/front. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 112 of [redacted]/publications/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).
Line 112 says
throw new CacheableAccessDeniedHttpException($access_result, $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
Looking at the logs, it seems that the exception report is logged for all my activity as admin, too,
.htaccess has been replicated from another site that works. Includes "allow from all" but in any case, that can't be the problem because the site is loading, then refusing access. So it's an internal Drupal problem.
I have not tampered with Drupal's own .htaccess because I've never needed to in the past.
Tried No. 8 and gained anonymous access but, as the warning note says, it gave anonymous users full edit/delete control over content. So I undid that.
Didn't try No. 9 - too many "routing.yml" files. The risk of chaos is too great.
Given this, it appears that the issue comes down to permissions.
Next: I still had the page open from when I tested solution #8. So I went to nodeaccess settings. Granted anonymous access to nodes of that type, went to the page and refreshed. Once more, access denied.
One odd thing has been the frequency of "rebuild permissions" warnings.
I've used NodeAccess since the early days of D7.
It turns out that the solution to this problem is to uninstall NodeAccess.
Losing the functionality I'm used to is a pain but it's better than having a website no one can enter.
And it takes one minute instead of the seven hours I've spent looking for the solution to the original problem.
Hope this helps others.
Comment #13
karol haltenberger commentedI had the same error message suddenly appear and it only took me a couple of hours to figure out that the indentation in my my route definition was off XD
Comment #14
TamB commentedFor anyone with the Nodeaccess module: rebuilding the node permissions solved this problem for me.
Go to /admin/reports/status and scroll down to Node Access Permissions. There is a link 'Rebuild permissions'. Click on it. Depending on how many permissions you have, it could take a few second to a few minutes.
Comment #15
hongqing commentedI encountered the issue after add products to drupal commerce, it happens sometimes, I am not sure which action triggers the issues.
I am using D 10.3.0 and Domain module.
Comment #16
hongqing commentedI found this issues is closed because issue #3257541 fixed. I do no think they are the same issues. #3257541 is about the log, while the issue here is user cannot access even being granted permissions.