- πΊπΈUnited States rschwab
I just started coming across this problem as of 3.10. It pops up when using a link with the 'destination' parameter, as in this twig template snippet:
<a href="/saml/login?destination={{ path('<current>') }}">Website Login</a>
With π Correctly handle cache data instead of throwing an Exception in EarlyRenderingControllerWrapperSubscriber() Fixed maybe this isn't a problem anymore? Or rather, the problem is no longer an exception?
- π³π±Netherlands roderik Amsterdam,NL / Budapest,HU
Embarrassingly, 3.x-1.10 itself contains an error that triggered the warning and therefore should be fixed. Your issue is probably fixed with π Cacheability Metadata Leakage Error on SAML Login with Samlauth and r4032 Redirect Module Active . 8.x-3.11 is out now.
- πΊπΈUnited States matthand Riverdale Park, Maryland
Just reporting that I am still seeing this error, even in 3.11.
- πΊπΈUnited States mark_fullmer Tucson
But I would really rather that people fix their sites and post known patches here
Yes, I can do that! I can verify the following:
- Using Samlauth 3.11 on its own does not trigger this warning for multiple sites I tested
- Using the Metatag module (see #6 and #8 above) does not trigger this warning, at least not with the configuration we have.
- What *is* triggering this warning is a custom implementation ofhook_user_login()
that modifies the destination parameter, passing a Drupal Url object as the parameter WITHOUT SPECIFYING that the metadata should bubble:From Core's API, the
Url::fromRoute->toString()
method takes an optional parameter that defaults to FALSE:public function toString($collect_bubbleable_metadata = FALSE) {
In the case of my custom code, this change suppressed the warning:
/** * Implements hook_user_login(). */ function mymodule_user_login($account) { $param = \Drupal::request()->query->all(); if (!$param || !isset($param['destination'])) { // For every user but "user 1", redirect to /dashboard upon login. if ($account->id() != 1) { - \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString()); + \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString(TRUE)->getGeneratedUrl()); } } }
My conclusion is that for the majority of folks coming to this issue, the problem is probably in custom code that implements
hook_user_login()
- π³πΏNew Zealand RoSk0 Wellington
Thanks for the pointer @mark_fullmer!
I did had the custom code in the
hook_user_login()
that did a "destination" based redirect to theUrl::fromRoute()->toString()
, and it did produced the warning for every log in.I've tried to use suggested
Url::fromRoute()->toString(TRUE)->getGeneratedUrl()
and it did got rid of the warning.
That made me wonder and I started digging.The
Url::fromRoute()->toString()
bubbles metadata by default, but only if called in the render context and everything generated from the controllers is renderer with the render context that is the request that the controller is responding to. See\Drupal\Core\Render\Renderer::getCurrentRenderContext()
and the comment in the\Drupal\Core\Render\MetadataBubblingUrlGenerator::bubble()
method body ( provided below ):Bubbling metadata makes sense only if the code is executed inside a render context. All code running outside controllers has no render context by default, so URLs used there are not supposed to affect the response cacheability.
Posting this as a reminder to myself and anyone else confused like me - if you are not rendering anything in your controller, it doesn't mean that there is no render context involved!