Contrib.social

Remove AccessDeniedHttpException details from log messages

Open on Drupal.org →
Created on 8 January 2022, over 2 years ago
Updated 6 October 2023, 9 months ago

Problem/Motivation

Hi everyone,
I would like to report an issue with Drupal core routing system which provides access to users based on content publishing state. Please be inform that unpublished content on a multilingual website receives an error which is stated below:

Path: /fa/node/1. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/lib/tugboat/stm/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

Seems that the line refers to the below function: CacheableAccessDeniedHttpException

    if (!$access_result->isAllowed()) {
      if ($access_result instanceof CacheableDependencyInterface && $request->isMethodCacheable()) {
        throw new CacheableAccessDeniedHttpException($access_result, $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
      }
      else {
        throw new AccessDeniedHttpException($access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
      }
    }

Steps to reproduce

1- Install Drupal 9.3.2 / Drupal 9.3.0 with PHP 8 / PHP 7.3.x
2- Install localization / language module
3- Install secondary language and make the setup multilingual
4- Add a basic page and make it unpublished
5- Browse to the URL with an anonymous user

Proposed resolution

Seems that the issue is related to publish state of the article when multilingual feature is activate. Since I do not have developer side of view to this matter I could not provide a solution. In mean time, I recreated this issue with simplytest.me and advise looking at the screen-shots provided.
Please find the screens as attached.
Thank you.

✨ Feature request
Status

Active

Version

11.0 🔥

Component
Routing  →

Last updated 4 days ago

Created by

🇮🇷Iran tsotoodeh

Live updates comments and jobs are added and updated live.
  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago →
    🇨🇦Canada deviantintegral

    We ran into this as well, as the error came up in a situation where we thought there was a bug in our code. It wasn't clear to any of our developers that this was a normal condition for 403 and 404 responses.

    What's challenging about this is that as a site owner, the word "Exception" usually means "something has gone wrong and code needs to be fixed", not "a request returned 403 or 404 but the site is working fine".

    This also causes problems with monitoring tools like New Relic, because they will track all exceptions and not automatically ignore these as errors.

    As is, the current log message isn't very helpful to users who aren't developers.

    Instead of:

    Path: /admin/content. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: The 'access content overview' permission is required. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/www/html/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

    I think a better message would be something like:

    The user (name or anonymous) was denied access to (path) as they have not been granted the (permission) permission.

    For reference, the logging occurs in core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php. It would be possible to alter or replace this subscriber.

    Given that many sites will prefer to track 403s or 404s outside, I think it also makes sense for this to be possible to disable entirely. That way, we prevent log spam in Drupal in the case of crawlers hitting many 404s, letting external systems like Google Analytics or web server logs handle tracking those responses.

  • Comment about 1 year ago →
    🇺🇸United States greenSkin

    We're witnessing these log messages when accessing pages that don't explicitly grant access (i.e., access result is neutral), which seems like a bug to me.

  • Comment 10 months ago →
    🇩🇪Germany Anybody Porta Westfalica

    Agree with @cilefen in #13:

    I am a -1 on this idea because IMO, more information is always better.

    but of course also see the other side.

    So perhaps a contrib module could hook in and prevent logging this kind of errors for anyone who has an issue with that?

  • Comment 9 months ago →
    🇮🇳India MukhtarM

    I don't know the issue is related or not. But i am geting the same log in Drupal commerce, while in the review page of a product checkout as:

    Path: /checkout/49/review. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /code/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

    and
    User: Anonymous (not verified) . I don't get why the user is Anonymous because i am still logged in and i am making the order :) !

  • Comment 9 months ago →
    🇬🇧United Kingdom cebab54

    I am getting the same issue with users that are authenticated and until about three weeks ago had access to pages (all with correct permissions to display pages and menu items) but suddenly these pages are now unauthorised to the same users. Other strange permissions issues are showing up in Views that also previously worked fine for Users.

    I am at my wits end trying to understand what has happened with the permissions and have checked all permissions and they are correct as designed.

    Is this something to do with Drupal Core?

    Any suggestions as to how to resolve this would be appreciated.

    User 1 can still use the site as designed, just not users!

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024