Users not assigned to a domain can create content on the domain

Included a patch

@nils.destoop, please submit your proposed changes as a merge request. You will also need to add test to cover this case.

Rewritten patch for 2.0.0-beta2.

Could you provide an MR please?

Working on the tests and MR.

Great, thanks @divyansh.gupta!

MR initialized. We still need a test.

getDefaultValue will be deprecated when the following issue is merged: ✨ Allow setting default value on field_domain_access Needs review .

We need to backport the patch over there.

i am unable to reproduce the issue using this test even after trying multiple things,
My test file is:

<?php

namespace Drupal\Tests\domain_access\Functional;

use Drupal\Tests\domain\Functional\DomainTestBase;
use Drupal\domain_access\DomainAccessManagerInterface;
use Drupal\user\RoleInterface;

/**
 * Reproduces cross-domain content creation issue.
 *
 * @group domain_access
 */
class DomainAccessCrossDomainCreationTest extends DomainTestBase {

  /**
   * {@inheritdoc}
   */
  protected static $modules = [
    'domain',
    'domain_access',
    'field',
    'node',
  ];

  /**
   * {@inheritdoc}
   */
  protected function setUp(): void {
    parent::setUp();
    // Clear default permissions for authenticated users to avoid bleed-through.
    $this->config('user.role.' . RoleInterface::AUTHENTICATED_ID)->set('permissions', [])->save();

    // Ensure required content type exists when not using the standard profile.
    if ($this->profile !== 'standard') {
      $this->drupalCreateContentType([
        'type' => 'page',
        'name' => 'Basic page',
        'display_submitted' => FALSE,
      ]);
    }

    // Create exactly two domains for this test.
    $this->domainCreateTestDomains(2);
  }

  /**
   * A user assigned to domain B should not be able to create on domain A.
   */
  public function testCannotCreateOnUnassignedDomain(): void {
    // Load created domains in deterministic order.
    $domains = \Drupal::entityTypeManager()->getStorage('domain')->loadMultiple();
    $domains = array_values($domains);
    $this->assertTrue(count($domains) >= 2, 'Two domains are available.');
    $domainA = $domains[0];
    $domainB = $domains[1];

    // Create a user who can create page content only on assigned domains.
    $account = $this->drupalCreateUser([
      'access content',
      'create page content on assigned domains',
    ]);
    // Assign the user only to domain B.
    $this->addDomainsToEntity('user', $account->id(), $domainB->id(), DomainAccessManagerInterface::DOMAIN_ACCESS_FIELD);

    // Set the active domain to A and log in as the limited user.
    /** @var \Drupal\domain\DomainNegotiatorInterface $negotiator */
    $negotiator = \Drupal::service('domain.negotiator');
    $negotiator->setActiveDomain($domainA);
    $this->domainLogin($domainA, $account);

    // Try to access node add form on domain A and assert 403.
    $this->drupalGet('node/add/page');
    $this->assertSession()->statusCodeEquals(403);
  }

}

thus un assigning this issue from myself.

Strange, as I could reproduce it rather easily locally.

yes @mably,
i think someone else would be able to write proper tests.

But still wondering if it's a bug or a feature 😉

Ok, looks like my test user had the right to create a content regardless of domains.

When properly configured, the step - Go to node/add/page gives a 403 Forbidden.

So it looks like this issue is probably related to some permissions/roles misconfiguration.

Closing for now. Feel free to reopen if we missed something.

Created an MR for your test @divyansh.gupta, but in fact it was already properly tested in file DomainAccessPermissionsTest.php.

Will keep MR as an example.