Nodes accessible on all domains regardless of domain assignment

Created on 1 April 2023, over 1 year ago
Updated 3 September 2024, 3 months ago

Drupal Version

9.5.5

Domain module version

8.x-1.0-beta8

Expected Behavior

I should only be able to access submitted nodes on the domain(s) that I have selected as an affiliate domain(s) for the node

Actual Behavior

I have 2 domains defined: A and B.
I have a content type including an entity reference field to domain records so I can assign domain to a node.
After I create a node and assign it to domain A I can view this node on domain B too.

I think the module should achieve access control: in case a visitor try to view the node on a domain to which it is not assigned He should get 403 error.

๐Ÿ’ฌ Support request
Status

Closed: cannot reproduce

Version

2.0

Component

Code

Created by

๐Ÿ‡ญ๐Ÿ‡บHungary kepesv

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @kepesv
  • ๐Ÿ‡ฎ๐Ÿ‡นItaly antonio.bertolini

    drupal 9.5.7,
    same problem after updating form 8.x-1.0-beta6

  • mickael@kaneva.io โ†’ made their first commit to this issueโ€™s fork.

  • Hello,

    Same with last beta version and drupal 9.5.4

    Thanks !

  • ๐Ÿ‡ฎ๐Ÿ‡นItaly fadeslayer

    I have just encountered the same problem.

    Drupal 9.5.7
    Domain 8.x-1.0-beta8 or 2.0.x-dev, I tried both with the same result.

    I have found a working trick, but I think this is a serious issue I encounter since the first D8 version I used 6 years ago...

    Trick:

    - Enable Domain access control on Content here: /admin/config/domain/entities and save
    - Go to Content configure page clicking on Operations button besides Content (or browse to /admin/config/domain/entities/node)
    - Enable both domain entity access and domain entity source (the second appears after checking the first) and set "User choose affiliate" under "Choose which behaviour..." select field.

    You then find a couple more fields in content type field list, named "domain_access" and "domain_source". Using this "domain_source" field instead of the "original" one works (view link features selected domain, every access to content from another domain brings a 403 error). It doesn't force redirect, though.

    An issue of this trick is that in Content admin view, Assign/remove content to domain actions are referring the "original" fields so they don't work.

    I think this is a critical problem that needs urgent solutiom

  • ๐Ÿ‡ซ๐Ÿ‡ทFrance dydave

    Hi everyone,

    Thank you very much for raising this issue, it's greatly appreciated.

    We would like to confirm having the exact same issue with a setup with two domains (sites) and the following versions:

    • Drupal core: 9.5.7
    • Domain: 8.x-1.0-beta8
    • Localgov: 2.3.15

    The problem described in the issue summary, in particular the expected results as opposed to the actual behavior, correspond exactly to the problem we've encountered.
    Content assigned to Domain A can still be accessed through Domain B as if it had been assigned to it as well.
    However, the content item doesn't appear listed on the other domain's content listing page.

    We haven't had time to investigate the problem any further, whether in code or by enabling/disabling other domain related modules.

    Any help, advice, guidance or code contributions would be greatly appreciated.
    Thanks in advance.

  • ๐Ÿ‡ญ๐Ÿ‡บHungary kepesv

    Temporary workaround:
    Install Domain Access Entity module.

  • Status changed to Postponed: needs info over 1 year ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States agentrickard Georgia (US)

    This is probably not a bug. If it were, it would be a serious security issue.

    We have extensive tests for this behavior.

    Here are a few reasons why this may happen:

    1) (Most likely) You are logged in as user 1 or a use with "Bypass node access" permissions. In both cases, the filtering rules do not apply.

    2) You have another access control module (like groups) installed, and it is grating access. The access system is an OR system.

    If you don't know the answer to #2, take a look in the {node_access} table in the database. If you have "grant" in there other than "domain_x", then you have another module interfering.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States bsnodgrass

    Reviewing for ๐Ÿ“Œ Documentation for 2.0.x Active . I am relating this issue to include it in documentation, particularly @agentrickard's comment in #8.

    Did the answer in #8 ๐Ÿ’ฌ Nodes accessible on all domains regardless of domain assignment Postponed: needs info solve this issue?

    We have a similar site we review and try to duplicate this. If you can duplicate, please see if can you duplicate after updating to the 2.0.0-beta1 release.

    Per the project description, "The 2.0.0-beta1 release is a code-only update from 8.x-1.0-beta8. Upgrading should only require a cache clear. The 8.x-1.x branch is now deprecated and will receive no new commits or releases."

  • ๐Ÿ‡บ๐Ÿ‡ฆUkraine alex.mazaltov

    Having the same issue
    Drupal core: 9.5.9
    Domain: 8.x-1.0-beta8

  • ๐Ÿ‡ฉ๐Ÿ‡ชGermany aschiwi

    Just noticing this on one of our more complex sites.
    We are using 2.0.0-beta1 and do not have groups installed. Currently not aware of any other access systems, surely no other contrib access systems.

    What exactly does this sentence mean: "If you don't know the answer to #2, take a look in the {node_access} table in the database. If you have "grant" in there other than "domain_x", then you have another module interfering." Am I supposed to see database tables for each domain instead of grant_view, grant_update, grant_delete?

  • ๐Ÿ‡ฉ๐Ÿ‡ชGermany stborchert

    Update to the information provided by @aschiwi:
    I've debugged through the access hooks called when viewing the node and every involved hook (*_entity_access(), *_node_access() returns AccessResult::neutral().
    domain_access_node_grants() returns an array referencing the assigned domain record and true for all grants:

    <?php
    $grants['domain_id'][0] = 3187922; // This is the domain_id of the domain assigned to the node.
    $grants['domain_site'][0] = 0;
    $grants['all'][0] = 1;
    ?>
    

    So there is no module restricting access to this node. According to the code domain_access doesn't care about restricting access to published nodes (see domain_access.module#352):

    <?php
      // In order to access update or delete, the user must be able to view.
      // Domain-specific permissions are relevant only if the node is not published.
      if ($op === 'view') {
        if ($node->isPublished()) {
          // Explicit restatement of the condition, for clarity.
          $allowed = FALSE;
        }
        elseif ($account->hasPermission('view unpublished domain content') && $manager->checkEntityAccess($node, $account)) {
          $allowed = TRUE;
        }
      }
    ?>
    

    I think we need to add an own implementation of hook_node_access() restricting the view permission to published nodes (using domain_entity_get_user_available_domains() from domain_entity).

  • ๐Ÿ‡ง๐Ÿ‡ชBelgium nils.destoop

    I also had this issue. But this was caused because node module installed grant access in the 'all' real by default. This is clashing with the domain grants.

      // Populate the node access table.
      Database::getConnection()->insert('node_access')
        ->fields([
          'nid' => 0,
          'gid' => 0,
          'realm' => 'all',
          'grant_view' => 1,
          'grant_update' => 0,
          'grant_delete' => 0,
        ])
        ->execute();
    

    After rebuilding the grants. The all was gone in my grants table, and everything worked ok.

    ddev drush php-eval 'node_access_rebuild();'

  • First commit to issue fork.
  • Pipeline finished with Success
    8 months ago
    Total: 148s
    #137872
  • Status changed to Needs review 8 months ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States weekbeforenext Asheville, NC

    I was experiencing the same issue. The domain_access_node_access() hook implementation never checks to see if the content should be accessible on the active domain.

    I updated the fork with the latest from origin and added some logic, similar to domain_entity, to forbid access if the active domain is not checked in the domain access field, or the all affiliates field is not checked.

    I assume setting this back to "Needs review" will kickoff tests. I am reviewing tests to see if we can add one specific to this case.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States weekbeforenext Asheville, NC

    Uploading my changes as a patch to run tests.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States weekbeforenext Asheville, NC
  • Status changed to Needs work 8 months ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States weekbeforenext Asheville, NC

    Needs tests :/

  • ๐Ÿ‡ซ๐Ÿ‡ทFrance fwust Strasbourg

    https://www.drupal.org/project/domain/issues/3351689#comment-15425909 ๐Ÿ’ฌ Nodes accessible on all domains regardless of domain assignment Postponed: needs info fixed the issue

  • ๐Ÿ‡จ๐Ÿ‡ญSwitzerland Gealion Lausanne

    #17 did fix the issue for me
    thx @weekbeforenext

  • Status changed to Needs review 6 months ago
  • ๐Ÿ‡จ๐Ÿ‡ญSwitzerland Gealion Lausanne
  • Status changed to Postponed: needs info 6 months ago
  • ๐Ÿ‡ซ๐Ÿ‡ทFrance dqd London | N.Y.C | Paris | Hamburg | Berlin

    Hello at all. And a special Hello to @aschiwi :) long time no see.

    Thanks for all the reports and the detailed insides of each case in here. Much appreciated. We still cannot reproduce this TBH, so we need to find more overlaps in your cases to tackle it down. As #8 states we have tests on this. And we run multiple multi domain record projects where non of the issues described here happen. Nodes only appear on domains selected (checked) on the node edit form. We never had any other experience like this. But we have no other permission modules installed to make sure that nothing interfears here. So maybe we need a fresh Drupal install to test all together. Or are you willing to list all modules installed on your projects? Let me know and I will set up one instance for all of us.

    And I would love to see you guys in #Domain channel I created some time ago for more detailed conversations regarding Domain upcoming final release. Maybe we can find the culprit in a quick meet up to move on here.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States weekbeforenext Asheville, NC

    Looking back at #8, our site does have at least one other access control module installed which could be causing the issue for us.

  • ๐Ÿ‡ณ๐Ÿ‡ฑNetherlands absoludo

    I might be missing something, but on a clean install of Drupal 10.3 I ran into this issue.
    The options mentioned in #8 are good checks, but not relevant for my tests.
    I have only installed Drupal 10.3 and the domain (+ access + content) module. No custom or other contrib access modules are installed.
    Patch #17 resolved my issue, but I might be missing something? Is the 2.0-beta1 tested against Drupal 10.3?

  • Status changed to Closed: cannot reproduce 3 months ago
  • ๐Ÿ‡ซ๐Ÿ‡ทFrance dqd London | N.Y.C | Paris | Hamburg | Berlin

    Not sure but we still run Domain on multiple projects in production without issues about which nodes appear where. Config of Domain can become complex and there are traps you can fall into. Some listings for example are automatically handled by Views in a default profile Drupal install (like aka /node) and this means you also have to take a look at the Views view and that the Domain settings are correct regarding this. This is just one example. Sadly some of the previous reporters did not came back to report further because I worry that this issue became a collecting basin for multiple issues, including some misconfiguration issues I think.

    We still cannot reproduce the issue here, nether on latest dev nor on last beta and I think I will close this for the moment to prevent further flooding or wasted efforts of contributors since node access issues are too random if not tackled down. If the original reporter could came back to elaborate more on the individual case it would be helpful. Feel free to reopen then. For others who feel like having node access issues with Domain I would like to recommend to make sure what the root cause is and to report it in another issue if required. Hope it helps.

Production build 0.71.5 2024