Nodes accessible on all domains regardless of domain assignment

drupal 9.5.7,
same problem after updating form 8.x-1.0-beta6

mickael@kaneva.io → made their first commit to this issue’s fork.

Hello,

Same with last beta version and drupal 9.5.4

Thanks !

I have just encountered the same problem.

Drupal 9.5.7
Domain 8.x-1.0-beta8 or 2.0.x-dev, I tried both with the same result.

I have found a working trick, but I think this is a serious issue I encounter since the first D8 version I used 6 years ago...

Trick:

- Enable Domain access control on Content here: /admin/config/domain/entities and save
- Go to Content configure page clicking on Operations button besides Content (or browse to /admin/config/domain/entities/node)
- Enable both domain entity access and domain entity source (the second appears after checking the first) and set "User choose affiliate" under "Choose which behaviour..." select field.

You then find a couple more fields in content type field list, named "domain_access" and "domain_source". Using this "domain_source" field instead of the "original" one works (view link features selected domain, every access to content from another domain brings a 403 error). It doesn't force redirect, though.

An issue of this trick is that in Content admin view, Assign/remove content to domain actions are referring the "original" fields so they don't work.

I think this is a critical problem that needs urgent solutiom

Hi everyone,

Thank you very much for raising this issue, it's greatly appreciated.

We would like to confirm having the exact same issue with a setup with two domains (sites) and the following versions:

• Drupal core: 9.5.7
• Domain: 8.x-1.0-beta8
• Localgov: 2.3.15

The problem described in the issue summary, in particular the expected results as opposed to the actual behavior, correspond exactly to the problem we've encountered.
Content assigned to Domain A can still be accessed through Domain B as if it had been assigned to it as well.
However, the content item doesn't appear listed on the other domain's content listing page.

We haven't had time to investigate the problem any further, whether in code or by enabling/disabling other domain related modules.

Any help, advice, guidance or code contributions would be greatly appreciated.
Thanks in advance.

Temporary workaround:
Install Domain Access Entity module.

This is probably not a bug. If it were, it would be a serious security issue.

We have extensive tests for this behavior.

Here are a few reasons why this may happen:

1) (Most likely) You are logged in as user 1 or a use with "Bypass node access" permissions. In both cases, the filtering rules do not apply.

2) You have another access control module (like groups) installed, and it is grating access. The access system is an OR system.

If you don't know the answer to #2, take a look in the {node_access} table in the database. If you have "grant" in there other than "domain_x", then you have another module interfering.

Reviewing for 📌 Documentation for 2.0.x Active . I am relating this issue to include it in documentation, particularly @agentrickard's comment in #8.

Did the answer in #8 💬 Nodes accessible on all domains regardless of domain assignment Postponed: needs info solve this issue?

We have a similar site we review and try to duplicate this. If you can duplicate, please see if can you duplicate after updating to the 2.0.0-beta1 release.

Per the project description, "The 2.0.0-beta1 release is a code-only update from 8.x-1.0-beta8. Upgrading should only require a cache clear. The 8.x-1.x branch is now deprecated and will receive no new commits or releases."

Having the same issue
Drupal core: 9.5.9
Domain: 8.x-1.0-beta8

Just noticing this on one of our more complex sites.
We are using 2.0.0-beta1 and do not have groups installed. Currently not aware of any other access systems, surely no other contrib access systems.

What exactly does this sentence mean: "If you don't know the answer to #2, take a look in the {node_access} table in the database. If you have "grant" in there other than "domain_x", then you have another module interfering." Am I supposed to see database tables for each domain instead of grant_view, grant_update, grant_delete?

Update to the information provided by @aschiwi:
I've debugged through the access hooks called when viewing the node and every involved hook (*_entity_access(), *_node_access() returns AccessResult::neutral().
domain_access_node_grants() returns an array referencing the assigned domain record and true for all grants:

<?php
$grants['domain_id'][0] = 3187922; // This is the domain_id of the domain assigned to the node.
$grants['domain_site'][0] = 0;
$grants['all'][0] = 1;
?>

So there is no module restricting access to this node. According to the code domain_access doesn't care about restricting access to published nodes (see domain_access.module#352):

<?php
  // In order to access update or delete, the user must be able to view.
  // Domain-specific permissions are relevant only if the node is not published.
  if ($op === 'view') {
    if ($node->isPublished()) {
      // Explicit restatement of the condition, for clarity.
      $allowed = FALSE;
    }
    elseif ($account->hasPermission('view unpublished domain content') && $manager->checkEntityAccess($node, $account)) {
      $allowed = TRUE;
    }
  }
?>

I think we need to add an own implementation of hook_node_access() restricting the view permission to published nodes (using domain_entity_get_user_available_domains() from domain_entity).

I also had this issue. But this was caused because node module installed grant access in the 'all' real by default. This is clashing with the domain grants.

  // Populate the node access table.
  Database::getConnection()->insert('node_access')
    ->fields([
      'nid' => 0,
      'gid' => 0,
      'realm' => 'all',
      'grant_view' => 1,
      'grant_update' => 0,
      'grant_delete' => 0,
    ])
    ->execute();

After rebuilding the grants. The all was gone in my grants table, and everything worked ok.

ddev drush php-eval 'node_access_rebuild();'

I was experiencing the same issue. The domain_access_node_access() hook implementation never checks to see if the content should be accessible on the active domain.

I updated the fork with the latest from origin and added some logic, similar to domain_entity, to forbid access if the active domain is not checked in the domain access field, or the all affiliates field is not checked.

I assume setting this back to "Needs review" will kickoff tests. I am reviewing tests to see if we can add one specific to this case.

Uploading my changes as a patch to run tests.

Needs tests :/

https://www.drupal.org/project/domain/issues/3351689#comment-15425909 💬 Nodes accessible on all domains regardless of domain assignment Postponed: needs info fixed the issue

#17 did fix the issue for me
thx @weekbeforenext

Hello at all. And a special Hello to @aschiwi :) long time no see.

Thanks for all the reports and the detailed insides of each case in here. Much appreciated. We still cannot reproduce this TBH, so we need to find more overlaps in your cases to tackle it down. As #8 states we have tests on this. And we run multiple multi domain record projects where non of the issues described here happen. Nodes only appear on domains selected (checked) on the node edit form. We never had any other experience like this. But we have no other permission modules installed to make sure that nothing interfears here. So maybe we need a fresh Drupal install to test all together. Or are you willing to list all modules installed on your projects? Let me know and I will set up one instance for all of us.

And I would love to see you guys in #Domain channel I created some time ago for more detailed conversations regarding Domain upcoming final release. Maybe we can find the culprit in a quick meet up to move on here.

Looking back at #8, our site does have at least one other access control module installed which could be causing the issue for us.