- Issue created by @kepesv
- ๐ฎ๐นItaly antonio.bertolini
drupal 9.5.7,
same problem after updating form 8.x-1.0-beta6 mickael@kaneva.io โ made their first commit to this issueโs fork.
Hello,
Same with last beta version and drupal 9.5.4
Thanks !
- ๐ฎ๐นItaly fadeslayer
I have just encountered the same problem.
Drupal 9.5.7
Domain 8.x-1.0-beta8 or 2.0.x-dev, I tried both with the same result.I have found a working trick, but I think this is a serious issue I encounter since the first D8 version I used 6 years ago...
Trick:
- Enable Domain access control on Content here: /admin/config/domain/entities and save
- Go to Content configure page clicking on Operations button besides Content (or browse to /admin/config/domain/entities/node)
- Enable both domain entity access and domain entity source (the second appears after checking the first) and set "User choose affiliate" under "Choose which behaviour..." select field.You then find a couple more fields in content type field list, named "domain_access" and "domain_source". Using this "domain_source" field instead of the "original" one works (view link features selected domain, every access to content from another domain brings a 403 error). It doesn't force redirect, though.
An issue of this trick is that in Content admin view, Assign/remove content to domain actions are referring the "original" fields so they don't work.
I think this is a critical problem that needs urgent solutiom
- ๐ซ๐ทFrance dydave
Hi everyone,
Thank you very much for raising this issue, it's greatly appreciated.
We would like to confirm having the exact same issue with a setup with two domains (sites) and the following versions:
- Drupal core: 9.5.7
- Domain: 8.x-1.0-beta8
- Localgov: 2.3.15
The problem described in the issue summary, in particular the expected results as opposed to the actual behavior, correspond exactly to the problem we've encountered.
Content assigned to Domain A can still be accessed through Domain B as if it had been assigned to it as well.
However, the content item doesn't appear listed on the other domain's content listing page.We haven't had time to investigate the problem any further, whether in code or by enabling/disabling other domain related modules.
Any help, advice, guidance or code contributions would be greatly appreciated.
Thanks in advance. - ๐ญ๐บHungary kepesv
Temporary workaround:
Install Domain Access Entity module. - Status changed to Postponed: needs info
over 1 year ago 3:35pm 28 May 2023 - ๐บ๐ธUnited States agentrickard Georgia (US)
This is probably not a bug. If it were, it would be a serious security issue.
We have extensive tests for this behavior.
Here are a few reasons why this may happen:
1) (Most likely) You are logged in as user 1 or a use with "Bypass node access" permissions. In both cases, the filtering rules do not apply.
2) You have another access control module (like groups) installed, and it is grating access. The access system is an OR system.
If you don't know the answer to #2, take a look in the {node_access} table in the database. If you have "grant" in there other than "domain_x", then you have another module interfering.
- ๐บ๐ธUnited States bsnodgrass
Reviewing for ๐ Documentation for 2.0.x Active . I am relating this issue to include it in documentation, particularly @agentrickard's comment in #8.
Did the answer in #8 ๐ฌ Nodes accessible on all domains regardless of domain assignment Postponed: needs info solve this issue?
We have a similar site we review and try to duplicate this. If you can duplicate, please see if can you duplicate after updating to the 2.0.0-beta1 release.
Per the project description, "The 2.0.0-beta1 release is a code-only update from 8.x-1.0-beta8. Upgrading should only require a cache clear. The 8.x-1.x branch is now deprecated and will receive no new commits or releases."
- ๐บ๐ฆUkraine alex.mazaltov
Having the same issue
Drupal core: 9.5.9
Domain: 8.x-1.0-beta8 - ๐ฉ๐ชGermany aschiwi
Just noticing this on one of our more complex sites.
We are using 2.0.0-beta1 and do not have groups installed. Currently not aware of any other access systems, surely no other contrib access systems.What exactly does this sentence mean: "If you don't know the answer to #2, take a look in the {node_access} table in the database. If you have "grant" in there other than "domain_x", then you have another module interfering." Am I supposed to see database tables for each domain instead of grant_view, grant_update, grant_delete?
- ๐ฉ๐ชGermany stborchert
Update to the information provided by @aschiwi:
I've debugged through the access hooks called when viewing the node and every involved hook (*_entity_access()
,*_node_access()
returnsAccessResult::neutral()
.
domain_access_node_grants()
returns an array referencing the assigned domain record and true for all grants:<?php $grants['domain_id'][0] = 3187922; // This is the domain_id of the domain assigned to the node. $grants['domain_site'][0] = 0; $grants['all'][0] = 1; ?>
So there is no module restricting access to this node. According to the code domain_access doesn't care about restricting access to published nodes (see domain_access.module#352):
<?php // In order to access update or delete, the user must be able to view. // Domain-specific permissions are relevant only if the node is not published. if ($op === 'view') { if ($node->isPublished()) { // Explicit restatement of the condition, for clarity. $allowed = FALSE; } elseif ($account->hasPermission('view unpublished domain content') && $manager->checkEntityAccess($node, $account)) { $allowed = TRUE; } } ?>
I think we need to add an own implementation of
hook_node_access()
restricting the view permission to published nodes (using domain_entity_get_user_available_domains() from domain_entity). - ๐ง๐ชBelgium nils.destoop
I also had this issue. But this was caused because node module installed grant access in the 'all' real by default. This is clashing with the domain grants.
// Populate the node access table. Database::getConnection()->insert('node_access') ->fields([ 'nid' => 0, 'gid' => 0, 'realm' => 'all', 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0, ]) ->execute();
After rebuilding the grants. The all was gone in my grants table, and everything worked ok.
ddev drush php-eval 'node_access_rebuild();'
- First commit to issue fork.
- Merge request !733351689: Nodes accessible on all domains regardless of domain assignment โ (Open) created by weekbeforenext
- Status changed to Needs review
7 months ago 8:18pm 4 April 2024 - ๐บ๐ธUnited States weekbeforenext Asheville, NC
I was experiencing the same issue. The domain_access_node_access() hook implementation never checks to see if the content should be accessible on the active domain.
I updated the fork with the latest from origin and added some logic, similar to domain_entity, to forbid access if the active domain is not checked in the domain access field, or the all affiliates field is not checked.
I assume setting this back to "Needs review" will kickoff tests. I am reviewing tests to see if we can add one specific to this case.
- ๐บ๐ธUnited States weekbeforenext Asheville, NC
Uploading my changes as a patch to run tests.
- Status changed to Needs work
7 months ago 9:04pm 4 April 2024 - ๐ซ๐ทFrance fwust Strasbourg
https://www.drupal.org/project/domain/issues/3351689#comment-15425909 ๐ฌ Nodes accessible on all domains regardless of domain assignment Postponed: needs info fixed the issue
- ๐จ๐ญSwitzerland Gealion Lausanne
#17 did fix the issue for me
thx @weekbeforenext - Status changed to Needs review
6 months ago 1:20pm 23 May 2024 - Status changed to Postponed: needs info
6 months ago 6:52pm 27 May 2024 - ๐ซ๐ทFrance dqd London | N.Y.C | Paris | Hamburg | Berlin
Hello at all. And a special Hello to @aschiwi :) long time no see.
Thanks for all the reports and the detailed insides of each case in here. Much appreciated. We still cannot reproduce this TBH, so we need to find more overlaps in your cases to tackle it down. As #8 states we have tests on this. And we run multiple multi domain record projects where non of the issues described here happen. Nodes only appear on domains selected (checked) on the node edit form. We never had any other experience like this. But we have no other permission modules installed to make sure that nothing interfears here. So maybe we need a fresh Drupal install to test all together. Or are you willing to list all modules installed on your projects? Let me know and I will set up one instance for all of us.
And I would love to see you guys in #Domain channel I created some time ago for more detailed conversations regarding Domain upcoming final release. Maybe we can find the culprit in a quick meet up to move on here.
- ๐บ๐ธUnited States weekbeforenext Asheville, NC
Looking back at #8, our site does have at least one other access control module installed which could be causing the issue for us.
- ๐ณ๐ฑNetherlands absoludo
I might be missing something, but on a clean install of Drupal 10.3 I ran into this issue.
The options mentioned in #8 are good checks, but not relevant for my tests.
I have only installed Drupal 10.3 and the domain (+ access + content) module. No custom or other contrib access modules are installed.
Patch #17 resolved my issue, but I might be missing something? Is the 2.0-beta1 tested against Drupal 10.3? - Status changed to Closed: cannot reproduce
2 months ago 10:26am 3 September 2024 - ๐ซ๐ทFrance dqd London | N.Y.C | Paris | Hamburg | Berlin
Not sure but we still run Domain on multiple projects in production without issues about which nodes appear where. Config of Domain can become complex and there are traps you can fall into. Some listings for example are automatically handled by Views in a default profile Drupal install (like aka /node) and this means you also have to take a look at the Views view and that the Domain settings are correct regarding this. This is just one example. Sadly some of the previous reporters did not came back to report further because I worry that this issue became a collecting basin for multiple issues, including some misconfiguration issues I think.
We still cannot reproduce the issue here, nether on latest dev nor on last beta and I think I will close this for the moment to prevent further flooding or wasted efforts of contributors since node access issues are too random if not tackled down. If the original reporter could came back to elaborate more on the individual case it would be helpful. Feel free to reopen then. For others who feel like having node access issues with Domain I would like to recommend to make sure what the root cause is and to report it in another issue if required. Hope it helps.