Problem/Motivation
Access cacheability is not correct when the "view own unpublished content" is in use, leading to improperly cached render arrays.
Steps to reproduce
(See even more minimalist reproduction steps is MR !8198)
1. Standard install
2. Add an entity reference field to the Page content type called "Related Articles" where article content can be referenced.
3. Configure the "Related Articles" field to display as a rendered entity.
4. Create Content Editor named "Dan"
5. Log in as Dan
6. Create an Article named "Dan's Article".
7. Create a Page named "Test Page" and add "Dan's Article" as a Related Article.
8. As the admin, unpublish "Dan's Article"
9. As Dan, View "Test Page". You will see "Dan's Article" rendered in pink. Good.
10. Create a new Content Editor named Flan.
11. Log in as Flan.
12. As Flan, view "Test Page". You will NOT see "Dan's Article". Good.
13. Clear Caches.
14. As Flan, view "Test Page". You will NOT see "Dan's Article". Good.
15. As Dan, view "Test Page". You will NOT see "Dan's Article". This is not correct.
Note that you will never see MORE than you are supposed to see. This is not an access bypass problem. Rather you will potentially see less than you are supposed to see.
In this particular case, the incorrect cacheable metadata is being created within EntityReferenceFormatterBase::getEntitiesToView:
$access = $this->checkAccess($entity);
// Add the access result's cacheability, ::view() needs it.
$item->_accessCacheability = CacheableMetadata::createFromObject($access);
Proposed resolution
Bubble up user cache context when there is no other option, since the lack of proper cache context on the final render result causes this problem.
Remaining tasks
- Fix #2973356: Cacheability information from route access checker access results are ignored by dynamic_page_cache because it is currently a blocker of fixing this one, see more details in https://git.drupalcode.org/project/drupal/-/merge_requests/8198#note_317834
- Consider if improvements introduced by #3473374: Improve Dynamic Page Cache header assertions in JSON:API tests (originally invented in this issue) should be merged first or can be merged as part of this issue.
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
N/A