Node Permissions appear to be broken in 6.1.3

[iknowfoobar]

Hi, we have recently been updating some of our sites and have just noticed that for every site that we have upgraded to from 6.1.2 to 6.1.3 the permissions for pages appear to be broken.

On the front end all pages that previously required a user to be logged in with a specific permission become viewable by anonymous users and in the admin area the Permissions tab for each node/page has gone and all pages appear to be editable by all users regardless of permission group.

Returning the site back to 6.1.2 fixes permissions again for our sites.

Is there some configuration that has changed or have we missed something while upgrading?

Symfony 5.3
PHP 8.0

[iknowfoobar]

Ha, never mind, found it!
kunstmaan_node.enable_permissions

[acrobat]

Yes, if you use flex (or update the recipes through flex) you might get an update on the kunstmaan_node config as we disabled it by default. It should work fine after you enable it again, if you encounter any bugs feel free to open a new issue!

[iknowfoobar]

Actually we think there is still an issue with permissions.
Now we have turned enable_permissions back to true, no pages on the front end will load when you are logged out. They all load fine when you are logged in however. We are seeing this same problem an all our 6.1 sites, however we only need permissions enabled for a couple of our sites which is why we didn't notice at first.

Attempted to call an undefined method named "isAuthenticated" of class "Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver".

Symfony\Component\ErrorHandler\Error\UndefinedMethodError:
Attempted to call an undefined method named "isAuthenticated" of class "Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver".

  at vendor/symfony/security-acl/Domain/SecurityIdentityRetrievalStrategy.php:82
  at Symfony\Component\Security\Acl\Domain\SecurityIdentityRetrievalStrategy->isNotAuthenticated(object(NullToken))
     (vendor/symfony/security-acl/Domain/SecurityIdentityRetrievalStrategy.php:72)
  at Symfony\Component\Security\Acl\Domain\SecurityIdentityRetrievalStrategy->getSecurityIdentities(object(NullToken))
     (vendor/symfony/security-acl/Voter/AclVoter.php:92)
  at Symfony\Component\Security\Acl\Voter\AclVoter->vote(object(NullToken), object(Node), array('VIEW'))
     (vendor/symfony/security-core/Authorization/Voter/TraceableVoter.php:38)
  at Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter->vote(object(NullToken), object(Node), array('VIEW'))
     (vendor/symfony/security-core/Authorization/AccessDecisionManager.php:84)
  at Symfony\Component\Security\Core\Authorization\AccessDecisionManager->decideAffirmative(object(NullToken), array('VIEW'), object(Node))
     (vendor/symfony/security-core/Authorization/AccessDecisionManager.php:71)
  at Symfony\Component\Security\Core\Authorization\AccessDecisionManager->decide(object(NullToken), array('VIEW'), object(Node), false)
     (vendor/symfony/security-core/Authorization/TraceableAccessDecisionManager.php:63)
  at Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager->decide(object(NullToken), array('VIEW'), object(Node))
     (vendor/symfony/security-core/Authorization/AuthorizationChecker.php:63)
  at Symfony\Component\Security\Core\Authorization\AuthorizationChecker->isGranted('VIEW', object(Node))
     (vendor/kunstmaan/node-bundle/EventListener/SlugSecurityListener.php:59)
  at Kunstmaan\NodeBundle\EventListener\SlugSecurityListener->onSlugSecurityEvent(object(SlugSecurityEvent), 'kunstmaan_node.slug.security', object(TraceableEventDispatcher))
     (vendor/symfony/event-dispatcher/Debug/WrappedListener.php:117)
  at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(object(SlugSecurityEvent), 'kunstmaan_node.slug.security', object(TraceableEventDispatcher))
     (vendor/symfony/event-dispatcher/EventDispatcher.php:230)
  at Symfony\Component\EventDispatcher\EventDispatcher->callListeners(array(object(WrappedListener)), 'kunstmaan_node.slug.security', object(SlugSecurityEvent))
     (vendor/symfony/event-dispatcher/EventDispatcher.php:59)
  at Symfony\Component\EventDispatcher\EventDispatcher->dispatch(object(SlugSecurityEvent), 'kunstmaan_node.slug.security')
     (vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php:151)
  at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch(object(SlugSecurityEvent), 'kunstmaan_node.slug.security')
     (vendor/kunstmaan/node-bundle/Controller/SlugController.php:88)
  at Kunstmaan\NodeBundle\Controller\SlugController->slugAction(object(Request), '', false)
     (vendor/symfony/http-kernel/HttpKernel.php:156)
  at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), 1)
     (vendor/symfony/http-kernel/HttpKernel.php:78)
  at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), 1, true)
     (vendor/symfony/http-kernel/Kernel.php:199)
  at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
     (vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:37)
  at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
     (vendor/autoload_runtime.php:35)
  at require_once('/Users/giles/Sites/darkstarbrewing-co-uk/vendor/autoload_runtime.php')
     (public/index.php:5)
  at require('/Users/giles/Sites/darkstarbrewing-co-uk/public/index.php')
     (/Users/giles/.composer/vendor/laravel/valet/server.php:234) 

[acrobat]

It seems to be an incompatibilty in symfony/security-acl, which version of symfony/security and symfony/security-acl do you have installed? Also do have the new symfony (5.3/5.4) authentication system enabled or do you use still the deprecated system?

[iknowfoobar]

Thanks @acrobat
We don't appear to have symfony/security install on any sites, but we do have

symfony/security-acl                 v3.3.0    Symfony Security Component - ACL (Access Control List)
symfony/security-bundle              v5.3.14   Provides a tight integration of the Security component into the Symfony full-stack framework
symfony/security-core                v5.3.14   Symfony Security Component - Core Library
symfony/security-csrf                v5.3.14   Symfony Security Component - CSRF Library
symfony/security-guard               v5.3.14   Symfony Security Component - Guard
symfony/security-http                v5.3.14   Symfony Security Component - HTTP Integration

And we are using the new 5.3/4 system with the old FOSUserBundle removed.

[acrobat]

Can you try to downgrade symfony/security-acl to 3.2.0 or upgrade symfony to 5.4? I think this is caused by an incompatible check in security-acl which doesn't work on symfony 5.3. If it does work again after the upgrade/downgrade I think an issue in https://github.com/symfony/security-acl should be created.

https://github.com/symfony/security-acl/blob/04d6fadd671d72ff322e20840e510030753e008a/Domain/SecurityIdentityRetrievalStrategy.php#L81-L83

[iknowfoobar]

We couldn't get Kuma 6.1 working with Symfony 5.4, every time we tried logged in it complained about not being able to find a password hasher for the user (so we may be missing some config there too).

For now setting symfony/security-acl back to 3.2.0 seems to have fixed it.

[iknowfoobar]

Hi @acrobat we have got our sites working on S5.4 now. As I suspected we were missing some config and some bundle versions were out too.
We've checked out a new kunstmaan project and compared composer and config and we had drifted apart slightly, fixed bundle versions and config and all working now. Some of our sites have gone through many versions of Kunstmaan!
Thanks for your help.

[acrobat]

Great to hear! I've also added a fix for symfony 5.3 and security-acl 3.3.0 so that shouldn't happen on other projects (symfony/security-acl#106)