Contrib.social

Session Permissions: No descriptive error message if "edit XB Page" permission is lost mid-session

Open on Drupal.org →
Created on 10 July 2025, 6 days ago

Overview

If a user with the Content Editor role loses the "edit XB Page" permission during an active session (for example, due to a change in their permissions by an administrator), they are still able to access the "Edit XB Page" UI. However, after attempting to publish changes, the system only displays a generic/unexpected error message ("An unexpected error has occurred while fetching the layout.") and does not provide a clear, descriptive error about the change in their permissions. Proper feedback should be given immediately upon permission loss, ideally with an access denied (403) message when attempting to interact with unauthorised UI elements.

Expected behavior: If the user loses the "edit XB Page" permission during their session, trying to edit or publish should immediately display a descriptive error message regarding insufficient permissions, rather than an unexpected or generic error.

Steps to Reproduce

  1. Assign the Content Editor role to a user, ensuring "edit XB Page" permission is granted.
  2. Log in as that user and access an XB Page's edit form (UI element: "Edit XB Page").
  3. While the user session remains active, have an administrator remove the "edit XB Page" permission from the Content Editor role.
  4. Without reloading the current edit page, attempt to publish changes.
  5. Observed: Upon clicking publish, an unexpected error message appears - "An unexpected error has occurred while fetching the layout."
  6. Expected: As soon as the permission is lost, attempting to perform restricted actions (such as publish) should show a clear, descriptive error about insufficient permissions or redirect to an access denied page.

Proposed resolution

User interface changes

🐛 Bug report
Status

Active

Version

0.0

Component

… to be triaged

Created by

mayur-sose

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mayur-sose
  • Comment 6 days ago
    🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
  • Comment 6 days ago
    🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺

    On the surface, this seems to be a pure client-side matter: it should handle 403s more nicely. That's true, and it'd solve 90% of the problem.

    But in reality, we need that last 10% too: the XB UI was initialized with a certain set of permission assumptions: those passed by the erver (at ExperienceBuilderController) to the client, after which the client "forever" assumes these to be true.

    So we need a mechanism to inform XB that XB needs to reload the page (which seems "a lot" but really isn't, because … permissions don't change often mid-session!). We already have polling for auto-saving. So … that's what should provide that instruction.

    Note that Drupal already has the necessary information for exactly this, worked on by yours truly over a decade ago in #2005644: Use client-side cache tags & caching to eliminate 1 HTTP requests/page for in-place editing metadata, introduce drupalSettings.user.permissionsHash : 

    $settings['user']['permissionsHash'] = \Drupal::service('user_permissions_hash_generator')->generate($user);

    IOW: this requires both client-side and server-side changes.

  • Comment 6 days ago
    🇫🇮Finland lauriii Finland

    This is slightly off topic but we probably need a similar issue for changes to the code base (i.e. XB version). The reason I'm bringing this up here is so that we can think what other use cases should force a refresh in the client.

  • Comment 6 days ago
    🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺

    #4++ — great call! 👍

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024