I have a number of custom entity types on my site which are accessible via jsonapi endpoints.

Using EntityAccessControlHandler::checkAccess(), users are restricted to only the entities that they created.

Using hook_query_ENTITY_TYPE_alter(), queries for fetching those entities in order to provide the collections are also restricted to the entities that they created.

If I hit a collection endpoint in jsonapi for a given entity type I am properly given a list of entities that belong to that user. If I make the same request with a different user, I am returned the list that the first user was given because it is cached at this point without the proper cache contexts.

What would be the correct way to add the proper cache context(s) here?

Comments

mstef created an issue. See original summary.

mstef’s picture

mstef commented

Actually, what it looks like is happening is if I make a request as an anonymous user, the empty response is being cached. Then all requests afterwards, even using authentication methods, come back with the same empty response (until I clear the cache).

mstef’s picture

mstef commented
Status: Active » Closed (works as designed)

Closing as my last comment sums it up. I'm not sure if that's a sign of another issue with either core or this module. I'll try to investigate further.

danstorm’s picture

danstorm commented

@mstef,
I hate to comment on an old/closed issue, but we are facing the exact issue you describe here. Were you able to overcome it?

I am concerned that this will allow one user to view another user's content, which very much defeats our 'view own entity' permission.

Any assistance is greatly appreciated, thanks.