Contrib.social

User Accept/Decline invitation access denied

Open on Drupal.org β†’
Created on 13 October 2023, about 1 year ago
Updated 26 June 2024, 6 months ago

Problem/Motivation

The ginvite.invitation.accept and ginvite.invitation.decline routes are returning 403 access denied to users managing their invitations to groups. This began after I updated ginvite from alpha1 to alpha2. In alpha1 the routes are working correctly and users can create memberships or decline successfully. In alpha2 they can not and so I've marked this as a Critical bug.

The message logged into Drupal is "Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 115 of /app/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php)."

I've compared alpha1 and alpha2 at this point. The difference in AccessAwareRouter->checkAccess() method is that alpha1 returned a Drupal\Core\Access\AccessResultAllowed and alpha2 returns a Drupal\Core\Access\AccessResultNeutral which fails the isAllowed() check throwing the Exception in the logs.

I stepped further into the AccessManager->check() method. I noticed that alpha2 is returning "access_check.group.installed_content" to the $check array while alpha1 returns a "access_check.custom" in that array. I believe this is a result in the difference in routing between the module versions.

Steps to reproduce

drupal/group 3.2.0
drupal/ginvite 4.0.0-alpha2

Invite authenticated user to a group. Invited user attempt to accept or decline invitation to group.

πŸ› Bug report
Status

Fixed

Version

4.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States ikphilip Charlotte, NC, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @ikphilip
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States ikphilip Charlotte, NC, USA
  • Assigned to lobsterr
  • Comment about 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium lobsterr
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States ikphilip Charlotte, NC, USA

    OK. Further investigation reveals ginvite is using a built-in access check in the group module. That check in Drupal\group\AccessGroupInstalledContentAccessCheck->access() requires a 'group' parameter be passed or else it fails the condition !$parameters->has('group') and returns AccessResult:neutral(). As currently constructed only group_relationship parameter is found. Adding the group id to the route appears to pass enough information to the group access check to pass.

    This patch adjusts the routing and edits the My Invitations view which generates operation links.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States ikphilip Charlotte, NC, USA

    Patch #5 should fix the my_invitations view to correctly create the routes.

  • Comment about 1 year ago β†’
    System Message
  • Comment about 1 year ago β†’
    System Message
  • Issue was unassigned.
  • Status changed to Fixed about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium lobsterr

    I decided to keep routes as they are right now, because some developers could alter they views and will miss these changes.
    I just add additional check that plugin exist in our custom access check.

  • Status changed to Needs review about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡¨πŸ‡¦Canada floydm

    This issue also appeared in the 2.x branch in release 2.2 and makes it so users cannot accept invitations.

    As far as I can tell, it's just a one line change to fix it.

  • Comment about 1 year ago β†’
    System Message
  • Status changed to Fixed about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium lobsterr

    Fixed, I will tag a new release

  • Comment about 1 year ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed 6 months ago
  • Comment 6 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia jasp888

    I'm on Drupal ver: 10.1.8
    Modules:
    - commerce ver: 8.x-2.39
    - gcommerce ver: 3.0.0-alpha1
    - ginvite ver: Version: 4.0.0-alpha3

    When clicking the inite hyperlink I'm seeing "Access denied You are not authorized to access this page.", and the following error log message:

    Path: /user/register?invitee_mail=cm9iLnNAYXJyb3dzYWludC5jb20. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 115 of /var/www/ecommerce/mystore/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

    Any assistance would be greatly appreciated - thank you in advance.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024