Contrib.social

Remove AccessDeniedHttpException details from log messages

Open on Drupal.org →
Created on 8 January 2022, almost 3 years ago
Updated 21 September 2024, 2 months ago

Problem/Motivation

Hi everyone,
I would like to report an issue with Drupal core routing system which provides access to users based on content publishing state. Please be inform that unpublished content on a multilingual website receives an error which is stated below:

Path: /fa/node/1. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/lib/tugboat/stm/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

Seems that the line refers to the below function: CacheableAccessDeniedHttpException

    if (!$access_result->isAllowed()) {
      if ($access_result instanceof CacheableDependencyInterface && $request->isMethodCacheable()) {
        throw new CacheableAccessDeniedHttpException($access_result, $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
      }
      else {
        throw new AccessDeniedHttpException($access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
      }
    }

Steps to reproduce

1- Install Drupal 9.3.2 / Drupal 9.3.0 with PHP 8 / PHP 7.3.x
2- Install localization / language module
3- Install secondary language and make the setup multilingual
4- Add a basic page and make it unpublished
5- Browse to the URL with an anonymous user

Proposed resolution

Seems that the issue is related to publish state of the article when multilingual feature is activate. Since I do not have developer side of view to this matter I could not provide a solution. In mean time, I recreated this issue with simplytest.me and advise looking at the screen-shots provided.
Please find the screens as attached.
Thank you.

Feature request
Status

Active

Version

11.0 🔥

Component
Routing 

Last updated 1 day ago

Created by

🇮🇷Iran tsotoodeh

Live updates comments and jobs are added and updated live.
  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇨🇦Canada deviantintegral

    We ran into this as well, as the error came up in a situation where we thought there was a bug in our code. It wasn't clear to any of our developers that this was a normal condition for 403 and 404 responses.

    What's challenging about this is that as a site owner, the word "Exception" usually means "something has gone wrong and code needs to be fixed", not "a request returned 403 or 404 but the site is working fine".

    This also causes problems with monitoring tools like New Relic, because they will track all exceptions and not automatically ignore these as errors.

    As is, the current log message isn't very helpful to users who aren't developers.

    Instead of:

    Path: /admin/content. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: The 'access content overview' permission is required. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/www/html/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

    I think a better message would be something like:

    The user (name or anonymous) was denied access to (path) as they have not been granted the (permission) permission.

    For reference, the logging occurs in core/lib/Drupal/Core/EventSubscriber/ExceptionLoggingSubscriber.php. It would be possible to alter or replace this subscriber.

    Given that many sites will prefer to track 403s or 404s outside, I think it also makes sense for this to be possible to disable entirely. That way, we prevent log spam in Drupal in the case of crawlers hitting many 404s, letting external systems like Google Analytics or web server logs handle tracking those responses.

  • Comment over 1 year ago
    🇺🇸United States greenskin

    We're witnessing these log messages when accessing pages that don't explicitly grant access (i.e., access result is neutral), which seems like a bug to me.

  • Comment over 1 year ago
    🇩🇪Germany Anybody Porta Westfalica

    Agree with @cilefen in #13:

    I am a -1 on this idea because IMO, more information is always better.

    but of course also see the other side.

    So perhaps a contrib module could hook in and prevent logging this kind of errors for anyone who has an issue with that?

  • Comment about 1 year ago
    🇮🇳India mukhtarm

    I don't know the issue is related or not. But i am geting the same log in Drupal commerce, while in the review page of a product checkout as:

    Path: /checkout/49/review. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /code/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

    and
    User: Anonymous (not verified) . I don't get why the user is Anonymous because i am still logged in and i am making the order :) !

  • Comment about 1 year ago
    🇬🇧United Kingdom cebab54

    I am getting the same issue with users that are authenticated and until about three weeks ago had access to pages (all with correct permissions to display pages and menu items) but suddenly these pages are now unauthorised to the same users. Other strange permissions issues are showing up in Views that also previously worked fine for Users.

    I am at my wits end trying to understand what has happened with the permissions and have checked all permissions and they are correct as designed.

    Is this something to do with Drupal Core?

    Any suggestions as to how to resolve this would be appreciated.

    User 1 can still use the site as designed, just not users!

  • Comment 2 months ago
    🇺🇸United States tjtj

    I get this too. My Config menu has disappeared, and when I manually go to admin/config, I get "access denied"
    Path: /admin/config. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 115 of /home/myname/public_html/mysite/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).
    I am admin. How do I track this down?

  • Comment 2 months ago
    🇬🇧United Kingdom catch

    @tjtj your issue is different to the one reported here. You might have better luck in the #support channel on Drupal slack.

    I agree these shouldn't be logged as exceptions, we should just extract the message instead.

  • Comment about 2 months ago
    🇧🇷Brazil astutonet Sao Paulo, SP

    Hi guys.

    This issue may be bigger than it seems. Let me explain: I'm running a local version of Drupal 10.3.5, which is a mirror of a production version.

    I've been noticing this type of message for a while now, but I hadn't worried about it yet.

    Today, I was testing to add a block to an existing content type, but I couldn't add the block and when I checked the error log, I saw the following message:

    The interesting thing is that, since it's a local version, only I was logged into the site, but the system is recognizing me as an anonymous user.

    I've been noticing the same type of problem when accessing other parts of the site's administrative area and I think the problem is related to Cache and Permissions.

  • Comment about 2 months ago
    🇺🇸United States seanr

    We're having the exact same issue astutonet just mentioned, except for us it's only happening on production (not staging or local using ddev). It is intermittent. We've ruled out anything on the Drupal side. Both that comment and mine aren't really related to this issue other than the fact that I at least agree that the error is too verbose when it's obviously just Anonymous trying to access something it doesn't have access to.

    Does a generic 403 really need to capture such verbose data? My suggestion for this ticket is to make it configurable and off by default. If you really need it for dev/debug purposes, you would go to /admin/config/development/logging and enable it.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024