"content_access_author" grant does not react to role changes

Created on 20 April 2015, about 9 years ago

Updated 28 April 2023, about 1 year ago

It seems like if a user creates nodes of a type that they have permission to create, and then their role later changes, the grants are not updated appropriately to consider whether the user's new roles would allow him or her to access the nodes he or she has authored.

Repro steps:

1. Create a role called "access own projects" that has the "View own project content" permission.
2. Create a user who has the "access own projects" role.
3. Log-in as the user in step #2.
4. As the new user, create a project node.
5. Remove the "access own projects" role from the user created in step #2.
6. Rebuild node access permissions.
7. Grant the user from step #2 the "access own projects" role.
8. As the user in step #2, attempt to view the node created in step #4.

Expected result:

The node should be accessible in both steps #4 and 8.

Actual result:

The node is only accessible to the user in step #4. The user gets an access denied error in step #8.

In addition, in the "node_access" table, a "content_access_author" grant is created for the user for the new node after step #4, but after step #6 the grant disappears and does not return after step #7.

Alternate Repro steps:

1. Create a role called "access own projects" that has the "View own project content" permission
2. Create a new role called "access all projects" that has the "View own project content" and "View any project content"
3. Create a user who has the "access all projects" role.
4. Log-in as the user in step #3.
5. As the new user, create a project node.
6. Remove the "access all projects" role from the user created in step #3 and grant the user the "access own projects" role instead.
7. As the user in step #3, attempt to view the node created in step #5.

Expected result:

The node should be accessible in both steps #5 and 7.

Actual result:

The node is only accessible to the user in step #5. The user gets an access denied error in step #7.

In addition, the user never receives a "content_access_author" grant in the "node_access" table after steps #5 or #7.

Assessment

My guess is that the module is over-optimizing the author grants. It assumes that user roles are static, when in fact they might change. Consequently, the only way to get content access to be correct when users change roles is to rebuild content permissions whenever any user changes roles.

🐛 Bug report

Status

Fixed

Version

1.0

Component

Code

Created by

🇺🇸United States GuyPaddock

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 year ago →
System Message

mkindred → authored eafe179b on 7.x-1.x
Issue #2474309 by mkindred: Fixed does not react to role changes'
Status changed to Fixed about 1 year ago4:48pm 28 April 2023
Comment about 1 year ago →
🇳🇴Norway gisle Norway
Thanks for the patch!

A more elegant solution would be to silently rebuild the permissions when required, but I accept this solution (to prompt the administrator to rebuild these permissions when required).

This has been committed to 7.x-1.x-dev.

The same bug exists in the 2.0.x branch. I shall open up a separate issue for that.
Comment about 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024