UserAccessControlHandler::checkAccess() fails to add a user cache context where needed

Created on 12 November 2015, about 9 years ago
Updated 13 October 2023, about 1 year ago

Problem/Motivation

UserAccessControlHandler::checkAccess() has this code:

else if ($account->id() == $entity->id()) {
  return AccessResult::allowed()->cachePerUser();
}
...
return AccessResult::neutral();

The problem with this is that the cachePerUser() is not added when there is no match (checking whether user1 can view user2's profile), which allows the neutral() result to be cached across users, but then the cache can be primed with user1, and then user2 can't view his own profile.

Proposed resolution

Use the allowedIf() syntax which allows the ->cachePerUser(); to be associated in either case. This is the same approach as is done for the 'update' and 'delete' operations.

Remaining tasks

None.

User interface changes

None.

API changes

None.

Data model changes

None.

๐Ÿ› Bug report
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component
User moduleย  โ†’

Last updated about 21 hours ago

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States effulgentsia

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024