Contrib.social

Incorrect caching of nodes with access denied pages

Open on Drupal.org →
Created on 2 November 2024, about 2 months ago

Problem/Motivation

I have a webform that is only accessible to certain roles.
Users complained that they lack the permission to access a webform via a node. However, when using the /form/machine_name URL, they can access the form.

Steps to reproduce

  1. Create a webform. Attach it to a node using the webform_node module.
  2. Restrict access to a certain role.
  3. Load the node from a user that lacks the role.
  4. Now, load the node from a user that has the role.
  5. Because the cache was filled by step 3, the access denied error is shown even for a user that has access.

If you swap steps 3 and 4, then the webform is initially shown to the legitimate user with the right role. However, after loading the page for the user without permission, then load the page for the legitimate user again, the unexpected access denied page appears again instead of the webform.

Proposed resolution

I am using the form_access_denied_message setting. It is attached to the render array in src/Element/Webform.php line 123. My particular problem is fixed by adding the following line:

$element['webform_access_denied']['#cache']['contexts'][] = 'user';

Remaining tasks

Fix the caching issue in the code. Maybe add a test.

User interface changes

None.

API changes

None.

Data model changes

None.

🐛 Bug report
Status

Needs review

Version

6.2

Component

Code

Created by

🇩🇪Germany gogowitsch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024