Permissions/access caching per node and per user

Created on 7 October 2024, 2 months ago

Problem/Motivation

I am using drupal 9, I have created a grant id 10 which have permission view,delete content of facility and from permissions page there is no additional permission to view,edit,delete facility. I have assigned gid 10 to non admin users so all non admin users should have view and delete permissions only. Which works perfectly. This is my code for reference
function rcp_access_node_access_records(NodeInterface $node) {
//need to edit and save node to test
if ($node->getType() == 'facility') {

$grants[] = array(
'realm' => 'drupalup_simple_form',
'gid' => 10,
'grant_view' => 1,
'grant_update' => 0,
'grant_delete' => 1,
'langcode' => 'en',
);
}
$grants[] = array(
'realm' => 'drupalup_simple_form',
'gid' => 0, // This is the admin GID, not the $account->uid associated with anonymous
'grant_view' => 1,
'grant_update' => 1,
'grant_delete' => 1,
'langcode' => 'en',
);

return $grants;
}
function rcp_access_node_grants(AccountInterface $account, $op) {
$grants = [];
if (in_array('administrator', $account->getRoles())) {
// gid to view, update, delete
$grants['drupalup_simple_form'][] = 0;
return $grants;
}

if ($account->id() != 0) {
// otherwise return uid, might match entry in table
$grants['drupalup_simple_form'][] = 10;
}

return $grants;
}

I have migrated my site from drupal 7 to drupal 9 which have millions of nodes, I have to rebuild permissions on my new site as i have custom grants but rebuilding node permission takes huge time I have tried using https://www.drupal.org/project/node_access_rebuild_progressive Node access Rebuild progressive module for rebuilding permission but it also didnt worked for me as it takes huge downtime beacause of millions of nodes. So, I have migrated node_access database table from drupal 7 to drupal 9

Issue i am facing new nodes created of facility content types are working perfectly because whenever a new node is created a row is inserted automatically in node_access table and it works according to grants But the migrated nodes with migrated nodes_access table does'nt work , i mean it has entry regarding grants and grants are also updated for migrated node btu it doesnt reflect the output of my grants Seems like Caching issue

Debbugging Found this functionality to test access $access = \Drupal::entityTypeManager()->getAccessControlHandler('node')->access($node, 'delete', \Drupal::currentUser()); which gives true if access allowed to delete and false if not allowed to delete
Access Results object for old nodes

Drupal\Core\Access\AccessResultNeutral {#3264 ▼
#cacheContexts: array:1 [▼
0 => "user.permissions"
]
#cacheTags: []
#cacheMaxAge: -1
#reason: "The 'delete any facility content' permission is required."
}
Access Results object for new nodes

Drupal\Core\Access\AccessResultAllowed {#3386 ▼
#cacheContexts: array:2 [▼
0 => "user.permissions"
1 => "user.node_grants:delete"
]
#cacheTags: []
#cacheMaxAge: 0
}

As noticed there is difference in cacheContexts for old and new nodes I tried adding cacheContexts for old nodes but it didnt worked $node = \Drupal::entityTypeManager()->getStorage('node')->load($nid); $node->addCacheContexts(['user.node_grants:delete']); $node->save();

I tried resetting cache for these nids but it also didnt worked \Drupal::entityTypeManager()->getStorage('node')->resetCache($nids);

I tried deleting cache for entity but also didnt worked \Drupal::service('cache.entity')->deleteAll();

Also Tried acquireGrants() but did not worked \Drupal::entityTypeManager()->getAccessControlHandler('node')->acquireGrants($node)

I want my migrated nodes to be working acording to grants although grats are getting updated in node_access table but its not reflecting results as per node_access table for migrated nodes but working for newer nodes I cant rebuilt node permission as it is taking huge time Any help appreciated

STEPS TO REPRODUCE
Migrate a drupal 7 site to Drupal 9 using drush
migrate node_access table from drupal 7 to Drupal 9
create a module with custom grants as mentioned above
Cross check no additional permission from permissions page

Newer nodes are working according to grants and grants in node_access table are evenly getting updated according to code
But grants working only on newer nodes not on old nodes

💬 Support request
Status

Active

Version

9.2

Component

node system

Created by

🇮🇳India sahil.shaikh

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024