Contrib.social

Logic flaw in grants?

Open on Drupal.org โ†’
Created on 11 April 2019, about 5 years ago
Updated 24 January 2024, 5 months ago

From [2909853-12]:
> always set an empty value to the current domain, because that's the behavior in domain_access_node_access_records()

Looking into the code, i see

function domain_access_node_access_records(NodeInterface $node) {
...
    // If there are no domains set, use the current one.
    $domains = \Drupal::service('domain_access.manager')->getAccessValues($translation);
    /** @var \Drupal\domain\DomainInterface $active */
    if (empty($domains) && $active = \Drupal::service('domain.negotiator')->getActiveDomain()) {
      $domains[$active->id()] = $active->getDomainId();
    }

Maybe i'm off track, but to me this means, the node grants depend (for empty field_domain_access) on the domain where i click the "Rebuild node permissions" button (which then batch-calls this function).

This only applies to empty domain field_domain_access which is prevented now. But even if it might sound strange, i guess people will have valid use cases for this and i do not see a conceptual problem with it.

๐Ÿ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

๐Ÿ‡ฉ๐Ÿ‡ชGermany geek-merlin Freiburg, Germany

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 5 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ฆUkraine gilmord ๐Ÿ‡บ๐Ÿ‡ฆUkraine

    Just faced this issue - I only need domain_access for users, all the content is shared between domains. I have deleted the fields but node_access table is still full of grants.

    There is no built option to disable this module for content, content is locked to the active or default domain. According to attached issue I have to grant nodes to all domains which will make useless access checks as it always should be accessible.

    I would say a propper option here is to disable grants and access records hooks so if domain_access is not needed for content it can be disabled.

  • Comment 5 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ฆUkraine gilmord ๐Ÿ‡บ๐Ÿ‡ฆUkraine

    For now, I have just disabled the hooks, works well so far.

    /**
 * Implements hook_module_implements_alter().
 */
function YOUR_MODULE_module_implements_alter(&$implementations, $hook) {
  // Before the issue is resolved we disable access hooks
  // to allow content in all domains.
  // @see: https://www.drupal.org/project/domain/issues/3047514
  $disable_hooks = [
    'node_access_records',
    'node_grants',
  ];
  if (in_array($hook, $disable_hooks)
    && isset($implementations['domain_access'])
  ) {
    unset($implementations['domain_access']);
  }
}
  • Status changed to Active 5 months ago
  • Comment 5 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ฆUkraine gilmord ๐Ÿ‡บ๐Ÿ‡ฆUkraine

    In any case this does not seem to be a good approach to force domains. Imagine having millions of nodes and only small part of it is domain-restricted - node_access table will be flooded with millions of useless records. If there are translations - the number will be doubled/tripled/etc

    I think this issue should be handled and it should not work like that by design.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024