"content_access_author" grant does not react to role changes

Created on 20 April 2015, over 9 years ago
Updated 28 April 2023, over 1 year ago

It seems like if a user creates nodes of a type that they have permission to create, and then their role later changes, the grants are not updated appropriately to consider whether the user's new roles would allow him or her to access the nodes he or she has authored.

Repro steps:

1. Create a role called "access own projects" that has the "View own project content" permission.
2. Create a user who has the "access own projects" role.
3. Log-in as the user in step #2.
4. As the new user, create a project node.
5. Remove the "access own projects" role from the user created in step #2.
6. Rebuild node access permissions.
7. Grant the user from step #2 the "access own projects" role.
8. As the user in step #2, attempt to view the node created in step #4.

Expected result:

The node should be accessible in both steps #4 and 8.

Actual result:

The node is only accessible to the user in step #4. The user gets an access denied error in step #8.

In addition, in the "node_access" table, a "content_access_author" grant is created for the user for the new node after step #4, but after step #6 the grant disappears and does not return after step #7.

Alternate Repro steps:

1. Create a role called "access own projects" that has the "View own project content" permission
2. Create a new role called "access all projects" that has the "View own project content" and "View any project content"
3. Create a user who has the "access all projects" role.
4. Log-in as the user in step #3.
5. As the new user, create a project node.
6. Remove the "access all projects" role from the user created in step #3 and grant the user the "access own projects" role instead.
7. As the user in step #3, attempt to view the node created in step #5.

Expected result:

The node should be accessible in both steps #5 and 7.

Actual result:

The node is only accessible to the user in step #5. The user gets an access denied error in step #7.

In addition, the user never receives a "content_access_author" grant in the "node_access" table after steps #5 or #7.

Assessment

My guess is that the module is over-optimizing the author grants. It assumes that user roles are static, when in fact they might change. Consequently, the only way to get content access to be correct when users change roles is to rebuild content permissions whenever any user changes roles.

πŸ› Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States GuyPaddock

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024