NodeAccessControlHandler::checkAccess() does not add a necessary cache context

Created on 30 June 2018, over 6 years ago
Updated 27 May 2024, 7 months ago
  1. Fresh install drupal8.5.x,jsonapi,devel,basic_auth
  2. Create two authenticated user: jim and odin
  3. Give "View own unpublished content" and "Article: Create new content"permission to authenticated user
  4. Use jim to create one unpublished article
  5. Clear cache
  6. use odin GET /jsonapi/node/article through postman, we get empty result.
    {
        "data": [],
        "jsonapi": {
            "version": "1.0",
            "meta": {
                "links": {
                    "self": "http://jsonapi.org/format/1.0/"
                }
            }
        },
        "links": {
            "self": "http://cache.n8/jsonapi/node/article"
        },
        ...
    }
      
  7. Then use jim to GET /jsonapi/node/article through postman, the data is still empty
    {
        "data": [],
        "jsonapi": {
            "version": "1.0",
            "meta": {
                "links": {
                    "self": "http://jsonapi.org/format/1.0/"
                }
            }
        },
        "links": {
            "self": "http://cache.n8/jsonapi/node/article"
        },
        ...
    }
      
  8. Clear cache
  9. Use jim to GET /jsonapi/node/article through postman we can get right result.
    {
        "data": [
            {
                "type": "node--article",
                "id": "32023099-4805-4be1-921a-9e03dd622561",
                "attributes": {
                    "nid": 1,
                    "uuid": "32023099-4805-4be1-921a-9e03dd622561",
                    "vid": 2,
                    "langcode": "en",
                    "revision_timestamp": "2018-06-30T15:30:17+00:00",
            ...
    }
    
πŸ› Bug report
Status

Closed: duplicate

Version

11.0 πŸ”₯

Component
Node systemΒ  β†’

Last updated 2 days ago

No maintainer
Created by

πŸ‡¨πŸ‡³China lawxen

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • This issue seems old and abandoned but is similar to a problem I'm facing.
    So admin users have permissions to view unpublished content.
    If the admin user unpublished content and an unauthenticated user was first to visit the jsonapi node endpoint, then the unauthenticated user would not load content as expected.
    But…
    If the Admin user is the first to visit the jsonapi node endpoint after unpublishing the node, then unauthenticated users visiting same endpoint can also see the unpublished data until I manually clear cache(not expected)

  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary
  • Merge request !8157Cache result by user when it is necessary β†’ (Open) created by mxr576
  • Pipeline finished with Failed
    7 months ago
    Total: 177s
    #179737
  • Pipeline finished with Failed
    7 months ago
    Total: 524s
    #179912
  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    So MR #8157 currently implements the suggested approach from [#2982770#comment-12669550] but it only adds cache per user when there are no node_grants implementation in the system. It should be sufficient because when there are node_grants implementations then user.node_grants:view cache context gets bubbled up.

  • πŸ‡ΊπŸ‡ΈUnited States danflanagan8 St. Louis, US

    This looks very much related to πŸ› Access cacheability is not correct when "view own unpublished content" is in use Needs work . Actually they looks like dupes. Should probably close that one since it's way more recent. There's a patch on that one that might be worth reviewing though.

    I found some nice related issues while reporting that one. In particular, I felt like the real solution was to be found in πŸ“Œ Introduce entity permission providers Needs work .

  • πŸ‡ΊπŸ‡ΈUnited States danflanagan8 St. Louis, US

    Adding the related issue I noted in #35. The steps to reproduce on that one don't involve jsonapi which may simplify things.

  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    @danflanagan8 Thanks for the issue reference! Actually the fix in that issue is more to the point and less invasive as it does not impact the cacheability of pages that much as the suggested fix here.

    If πŸ› Access cacheability is not correct when "view own unpublished content" is in use Needs work would get a test coverage and it would be proved that it also fixes this issue (I do not see atm why not) then both issues could be marked as resolved with the fix in the other issue.

  • πŸ‡³πŸ‡±Netherlands bbrala Netherlands

    Related issue you mentioned that perhaps this issue is best after all.

    I checked the test failures, all functional test failures are because of widened context i think. That kinda makes sense. So 'user' instead of 'user.permission'. Those are all good.

    The 2 javascript failures are a bit more cryptic. Might be a header count, which then would make sense again.

    Wish every assertion had a failure text... ;(

  • Status changed to Closed: duplicate 7 months ago
  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Wish every assertion had a failure text... ;(

    +1 on that, I wish all assert methods would allow adding a failure text...

    Now that I have a minimalist failing test in πŸ› Access cacheability is not correct when "view own unpublished content" is in use Needs work that has nothing to do with the beast-that-love-and-called-JSONAPI, I think this issue can and should be closed as duplicate and issue credits should be transferred to the other issue.

    I checked the test failures, all functional test failures are because of widened context i think. That kinda makes sense. So 'user' instead of 'user.permission'. Those are all good.

    I also believe that they are correct, my only question is there is a less invasive way to fix this... but maybe there is no other :S

  • πŸ‡³πŸ‡±Netherlands bbrala Netherlands

    beast-that-love-and-called-JSONAPI haha ;)

Production build 0.71.5 2024