Problem/Motivation
While working on
#2889855: Unpublished media entity can not be accessed by owner and update any media/delete any media access possibly cached by user β
we've noticed a couple of bugs in MediaAccessControlHandler
regarding the cache for delete/update access.
- 'edit own type media' permissions is checked and returned before 'update any media' permission, which causes cache per user when it's not needed
- 'delete own type media' permissions is checked and returned before 'delete any media' permission, which causes cache per user when it's not needed
- 'edit any type media' does not have the entity as cacheable dependency
- 'delete any type media' does not have the entity as cacheable dependency
We also have issues when returning a neutral result - we need to be caching per user. We can't just cache per permissions when we return a neutral response as this would cache incorrectly for the use case where a user is denied access, then another user is meant to be granted access based on the fact they are the owner but they have identical permissions (see #9)
1. Create a roll with 'edit own $type media' and 'update any media' permission
2. Create a user and assign the role created in step 1.
3. Create a media item of $type
4. Login as the user from step 2
5. Try to edit the media item of step 3
Expected:
The access result is cached per permission.
Actual:
The access result is cached per user.
1. Create a roll with 'delete own $type media' and 'delete any media' permission
2. Create a user and assign the role created in step 1.
3. Create a media item of $type
4. Login as the user from step 2
5. Try to delete the media item of step 3
Expected:
The access result is cached per permission.
Actual:
The access result is cached per user.
1. Create a roll with 'delete own $type media'
2. Create 2 users and assign the role created in step 1.
3. Create a media item of $type and make user A the owner
4. Login as the user B from step 2
5. Try to delete the media item of step 3 and get access denied
6. Login as user A from step 2
7. Try to delete media item
Expected:
Access is granted.
Actual:
Access is not granted because previous result was cached only by permissions.
Proposed resolution
Fix update/delete access cache issues and add extensive tests for it.
- Make sure the generic 'update any media' / 'edit any $type media' permissions are checked before the user specific 'update own media' / 'edit own $type media'.
- Make sure the generic 'delete any media' / 'delete any $type media' permissions are checked before the user specific 'delete own media' / 'delete own $type media'.
Remaining tasks
User interface changes
API changes
Data model changes