Skip to content
Snippets Groups Projects

Issue #3504114: If edit own content is added, then the cache context user is...

Closed Issue #3504114: If edit own content is added, then the cache context user is...
issue/drupal-3504114:3504114-merge into 11.x
1 unresolved thread
Closed catch requested to merge issue/drupal-3504114:3504114-merge into 11.x
1 unresolved thread
Compare
and
2 files
+ 95
4
Compare changes
  • Side-by-side
  • Inline
Files
2
core/modules/node/src/NodeAccessControlHandler.php
+ 23
4
@@ -131,12 +131,11 @@ protected function checkAccess(EntityInterface $node, $operation, AccountInterfa
assert($node instanceof NodeInterface);
$cacheability = new CacheableMetadata();
$view_access_result = NULL;
/** @var \Drupal\node\NodeInterface $node */
if ($operation === 'view') {
$result = $this->checkViewAccess($node, $account, $cacheability);
if ($result !== NULL) {
return $result;
}
$view_access_result = $this->checkViewAccess($node, $account, $cacheability);
}
[$revision_permission_operation, $entity_operation] = static::REVISION_OPERATION_MAP[$operation] ?? [
@@ -185,6 +184,9 @@ protected function checkAccess(EntityInterface $node, $operation, AccountInterfa
$access_result = $this->grantStorage->access($node, $operation, $account);
if ($access_result instanceof RefinableCacheableDependencyInterface) {
$access_result->addCacheableDependency($cacheability);
if ($view_access_result) {
$access_result->addCacheableDependency($view_access_result);
}
}
return $access_result;
}
@@ -216,14 +218,31 @@ protected function checkViewAccess(NodeInterface $node, AccountInterface $accoun
return NULL;
}
// Due to the check below, it is not possible to rely only on account
// permissions to determine whether the 'view own unpublished content'
// permission can be checked, instead we also need to check if the user has
// the authenticated role. Just in case anonymous and authenticated users
// are both granted the 'view own unpublished content' permission and also
// have otherwise identical permissions.
$cacheability->addCacheContexts(['user.roles:authenticated']);
// The "view own unpublished content" permission must not be granted
// to anonymous users for security reasons.
if (!$account->isAuthenticated()) {
return NULL;
}
// When access is granted due to the 'view own unpublished content'
// permission and for no other reason, node grants are bypassed. However,
// to ensure the full set of cacheable metadata is available to variation
// cache, additionally add the node_grants cache context so that if the
// status or the owner of the node changes, cache redirects will continue to
// reflect the latest state without needing to be invalidated.
$cacheability->addCacheContexts(['user']);
if ($this->moduleHandler->hasImplementations('node_grants')) {
Please register or sign in to reply
$cacheability->addCacheContexts(['user.node_grants:view']);
}
if ($account->id() != $node->getOwnerId()) {
return NULL;
}