Contrib.social

Does not react to role changes

Open on Drupal.org →
Created on 28 April 2023, over 1 year ago
Updated 7 May 2023, over 1 year ago

Problem/Motivation

When a user's role changes, the grants are not updated until permissions are rebuilt. This has security implications, as administrators may not understand that permissions need to rebuilt after a role has been given or taken away.

Steps to reproduce

  1. Create a role called "access own article" that has the "View own article content" permission.
  2. Remove the "View * article content" permission for anonymous user and authenticated user.
  3. Create a user ("bob") who has the "access own article" role.
  4. Log-in as bob.
  5. As the new user, create an article node named "Article".
  6. Remove the "access own article" role from bob.
  7. As bob, attempt to view the "Article" node.
  8. Rebuild node access permissions.
  9. As bob, attempt to view the "Article" node.
  10. Grant bob the "access own projects" role.
  11. As bob, attempt to view the "Article" node.
  12. Rebuild node access permissions.
  13. As bob, attempt to view the "Article" node.

Expected result:

#5: "Article" accessible.
#7: "Article" not accessible.
#9: "Article" not accessible.
#11 "Article" accessible.
#13 "Article" accessible.

Actual result:

#5: "Article" accessible.
#7: "Article" accessible.
#9: "Article" not accessible.
#11: "Article" not accessible.
#13 "Article" accessible.

Proposed resolution

This bug was also in the branch for Drupal 7, see 🐛 "content_access_author" grant does not react to role changes Fixed . There is a patch to be ported.

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇳🇴Norway gisle Norway

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024