[PP-1] Access cacheability is not correct when "view own unpublished content" is in use

Created on 4 May 2022, about 2 years ago
Updated 4 July 2024, 9 days ago

Problem/Motivation

Access cacheability is not correct when the "view own unpublished content" is in use, leading to improperly cached render arrays.

Steps to reproduce

(See even more minimalist reproduction steps is MR !8198)

1. Standard install
2. Add an entity reference field to the Page content type called "Related Articles" where article content can be referenced.
3. Configure the "Related Articles" field to display as a rendered entity.
4. Create Content Editor named "Dan"
5. Log in as Dan
6. Create an Article named "Dan's Article".
7. Create a Page named "Test Page" and add "Dan's Article" as a Related Article.
8. As the admin, unpublish "Dan's Article"
9. As Dan, View "Test Page". You will see "Dan's Article" rendered in pink. Good.
10. Create a new Content Editor named Flan.
11. Log in as Flan.
12. As Flan, view "Test Page". You will NOT see "Dan's Article". Good.
13. Clear Caches.
14. As Flan, view "Test Page". You will NOT see "Dan's Article". Good.
15. As Dan, view "Test Page". You will NOT see "Dan's Article". This is not correct.

Note that you will never see MORE than you are supposed to see. This is not an access bypass problem. Rather you will potentially see less than you are supposed to see.

In this particular case, the incorrect cacheable metadata is being created within EntityReferenceFormatterBase::getEntitiesToView:

$access = $this->checkAccess($entity);
// Add the access result's cacheability, ::view() needs it.
$item->_accessCacheability = CacheableMetadata::createFromObject($access);

Proposed resolution

Bubble up user cache context when there is no other option, since the lack of proper cache context on the final render result causes this problem.

Remaining tasks

  1. Fix πŸ“Œ Cacheability information from route access checker access results are ignored by dynamic_page_cache Needs review because it is currently a blocker of fixing this one, see more details in https://git.drupalcode.org/project/drupal/-/merge_requests/8198#note_317834

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

N/A

πŸ› Bug report
Status

Postponed

Version

11.0 πŸ”₯

Component
Node systemΒ  β†’

Last updated about 22 hours ago

No maintainer
Created by

πŸ‡ΊπŸ‡ΈUnited States danflanagan8 St. Louis, US

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024