Problem/Motivation

Cache is handled by the Permission by Entity's AccessResultCache, which only was made for nodes. When using entities these tags mix-up, as they only respect the $entity->id() and $account->id().

Steps to reproduce

  1. Enable "Permissions by Term" and "Permissions by Entity"
  2. Add a reference to a taxonomy term from a node type
  3. Create a node and leave it accessible for anonymous users
  4. View the node in an anonymous session => Access allowed (works! and get's cached)
  5. Add a reference to a taxonomy term from a media entity
  6. Create a media entity (make sure it has the same id as the node) and select a term not accessible for anonymous users and attach a file
  7. Copy the URL of the file attached to the media (which checks the "view" permission of the parent entity as defined by core)
  8. Open the URL in an anonymous session => Access allowed (BROKEN!)
  9. Clear cache => WORKS!

Proposed resolution

Use cache tags which do respect the entity type id and do not pollute the database with node entries.

Remaining tasks

PbE has a whole different access check system (not using cache at all), which also should be ported to PbT.

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
#7 permissions_by_term-tag_and_invalidate_cached_access_results-3238759.patch7.75 KBfskreuz
#7 interdiff.txt1.95 KBfskreuz
#6 interdiff.txt1.86 KBfskreuz
#6 permissions_by_term-tag_and_invalidate_cached_access_results-3238759.patch7.66 KBfskreuz
#4 3238759-PbE_respect_entity_type_id-4.patch6.21 KBytsurk
#2 3238759-PbE_respect_entity_type_id-2.patch5.34 KBytsurk

Comments

ytsurk created an issue. See original summary.

ytsurk’s picture

ytsurk
Location Switzerland
commented
StatusFileSize
new 3238759-PbE_respect_entity_type_id-2.patch5.34 KB

Here's a first workaround, a replicated AccessResultCache service in PbE.

ambient.impact’s picture

ambient.impact
they/them
Primary language English
Location Toronto
commented

Also it seems to me, like PbE is taking over PbT, so PbE should skip when we have the entity type node.

This is a thing that caught me by surprise when we enabled Permissions by Entity on Omnipedia, as it started giving users access to unpublished nodes with those terms, even though they didn't have permission to view unpublished nodes. With only Permissions by Term enabled, they would only be granted access when the nodes were published. As you can imagine, this isn't the kind of surprise you'd want in something users pay for and thus real money is involved.

ytsurk’s picture

ytsurk
Location Switzerland
commented
Issue summary: View changes
StatusFileSize
new 3238759-PbE_respect_entity_type_id-4.patch6.21 KB

Here a next patch, leaving nodes alone.

fskreuz’s picture

fskreuz commented

Patch works for me (PbT 3.1.17, D 9.2.8). Works on Media and direct access to the media's files.

fskreuz’s picture

fskreuz commented
StatusFileSize
new permissions_by_term-tag_and_invalidate_cached_access_results-3238759.patch7.66 KB
new interdiff.txt1.86 KB

Updated patch to include hooks to invalidate tags when an entity is modified.

fskreuz’s picture

fskreuz commented
StatusFileSize
new interdiff.txt1.95 KB
new permissions_by_term-tag_and_invalidate_cached_access_results-3238759.patch7.75 KB

Added additional check to only invalidate on content entities.

fskreuz’s picture

fskreuz commented
Status: Active » Needs review
jepster_’s picture

jepster_
Location 🇩🇪Düsseldorf
commented
Status: Needs review » Postponed (maintainer needs more info)

Hi,

sorry, I cannot reproduce this. I have created a media document, attached a private file to it and the access was always restricted. First request after cache clear and the next request. I have tested it on an environment with Drupal, Permissions by Term and Permissions by Entity installed only. Maybe your issue is somehow tied to any other dependency. It can help to install an new Drupal installation with a limited amount of modules for isolating the issue.

ytsurk’s picture

ytsurk
Location Switzerland
commented

There are clear steps on how to reproduce this?
Also, by only looking at the code, the problem is visible. Please read the issue description again.

PbE really should be reworked/alinged with PbTs access check logic. Keep in mind, that PbE does have to deal with different entity types, and not "just" nodes.

According to your comment

it looks like you mixed up this issue with #3222563: Permissions by Entity affected by cache - returning wrong access result until cache is cleared

ytsurk’s picture

ytsurk
Location Switzerland
commented
Priority: Normal » Critical

This is a serious security threat!

fskreuz’s picture

fskreuz commented

@Peter I have steps to reproduce over at https://www.drupal.org/project/permissions_by_term/issues/3256980 (which I closed when I discovered this issue is similar and already had a working patch).

@ytsurk Indeed it is a security issue, would fall under the information disclosure category.

ytsurk’s picture

ytsurk
Location Switzerland
commented
Issue summary: View changes
ytsurk’s picture

ytsurk
Location Switzerland
commented
Status: Postponed (maintainer needs more info) » Needs review

Putting this on the map again.

Peter, you need a node and media entity with the same id. Please follow my instructions in the issue description!

jaymcgraw’s picture

jaymcgraw commented

From the experience of someone testing this module out on a new dev site starting with no content, I was about ready to give up on this module because it didn't work as expected. Then I dove in to the code, discovered this issue and realized it wasn't working because I was testing with node id 1 and paragraph id 1 and media id 1. I agree it's a security issue, and it's also a poor experience to someone new to the module. I'm glad to see there's an issue opened with a patch for this.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

This patch worked for me.

I'm 100% all for getting permissions_by_entity working better as users want to use this with media but appears to be lacking.

julianvppw’s picture

julianvppw commented

With permissions_by_entity being a sub-module of permissions_by_term, I wasn't sure where to apply this patch:

permissions_by_term-tag_and_invalidate_cached_access_results-3238759.patch

For every location I tried (web/modules and web/modules/contrib/permissions_by_term/modules) files were not being updated or created.

So I applied the patch manually. But still, Media Entities are being cached in the /jsonapi/media/private_document endpoint.

This means when I clear cache, first request works but it becomes a snapshot for subsequent requests.

ambient.impact’s picture

ambient.impact
they/them
Primary language English
Location Toronto
commented

@julianvppw Patches are relative to the project, not a sub-module. That means it should be applied to web/modules/contrib/permissions_by_term

jepster_’s picture

jepster_
Location 🇩🇪Düsseldorf
commented
Status: Reviewed & tested by the community » Fixed

Thanks for the patch. Released via version 3.1.18.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.