Fix permission cache invalidation and add Redis session regression coverage

eiresendez · eiresendez · commit a4253d16bf6a · 2026-03-26T12:15:30.000-06:00
diff --git a/ProcessMaker/Models/User.php b/ProcessMaker/Models/User.php
@@ -591,7 +591,7 @@ public function refresh()
 
         // Clear permissions and user_permissions
         Cache::forget('permissions');
-        app(\ProcessMaker\Services\PermissionCacheService::class)->forgetLegacyUserPermissions($this->id);
+        $this->invalidatePermissionCache();
 
         // return the refreshed user instance
         return $this;
diff --git a/ProcessMaker/Services/PermissionCacheService.php b/ProcessMaker/Services/PermissionCacheService.php
@@ -20,6 +20,12 @@ class PermissionCacheService implements PermissionCacheInterface
 
     private const TRACKED_PERMISSION_KEYS = 'permission_cache_keys';
 
+    private const TRACKED_PERMISSION_KEYS_LOCK = 'permission_cache_keys_lock';
+
+    private const TRACKED_PERMISSION_KEYS_LOCK_SECONDS = 10;
+
+    private const TRACKED_PERMISSION_KEYS_LOCK_WAIT_SECONDS = 5;
+
     /**
      * Get cached permissions for a user
      */
@@ -174,11 +180,13 @@ public function invalidateGroupPermissions(int $groupId): void
     public function clearAll(): void
     {
         try {
-            foreach ($this->getTrackedPermissionKeys() as $key) {
-                Cache::forget($key);
-            }
+            $this->withTrackedPermissionKeysLock(function (): void {
+                foreach ($this->getTrackedPermissionKeysFromCache() as $key) {
+                    Cache::forget($key);
+                }
 
-            Cache::forget(self::TRACKED_PERMISSION_KEYS);
+                Cache::forget(self::TRACKED_PERMISSION_KEYS);
+            });
         } catch (\Exception $e) {
             Log::warning('Failed to clear all permission caches: ' . $e->getMessage());
         }
@@ -241,39 +249,55 @@ public function getCacheStats(): array
      */
     private function trackPermissionKey(string $key): void
     {
-        $keys = $this->getTrackedPermissionKeys();
-        if (!in_array($key, $keys, true)) {
-            $keys[] = $key;
-            Cache::forever(self::TRACKED_PERMISSION_KEYS, $keys);
-        }
+        $this->withTrackedPermissionKeysLock(function () use ($key): void {
+            $keys = $this->getTrackedPermissionKeysFromCache();
+
+            if (!in_array($key, $keys, true)) {
+                $keys[] = $key;
+                Cache::forever(self::TRACKED_PERMISSION_KEYS, $keys);
+            }
+        });
     }
 
     /**
      * Stop tracking a permission key after explicit invalidation.
      */
     private function untrackPermissionKey(string $key): void
     {
-        $keys = array_values(array_filter(
-            $this->getTrackedPermissionKeys(),
-            fn ($trackedKey) => $trackedKey !== $key
-        ));
+        $this->withTrackedPermissionKeysLock(function () use ($key): void {
+            $keys = array_values(array_filter(
+                $this->getTrackedPermissionKeysFromCache(),
+                fn ($trackedKey) => $trackedKey !== $key
+            ));
 
-        if (empty($keys)) {
-            Cache::forget(self::TRACKED_PERMISSION_KEYS);
+            if (empty($keys)) {
+                Cache::forget(self::TRACKED_PERMISSION_KEYS);
 
-            return;
-        }
+                return;
+            }
 
-        Cache::forever(self::TRACKED_PERMISSION_KEYS, $keys);
+            Cache::forever(self::TRACKED_PERMISSION_KEYS, $keys);
+        });
     }
 
     /**
-     * Read the tracked permission keys index.
+     * Read the tracked permission keys index without locking.
      */
-    private function getTrackedPermissionKeys(): array
+    private function getTrackedPermissionKeysFromCache(): array
     {
         $keys = Cache::get(self::TRACKED_PERMISSION_KEYS, []);
 
         return is_array($keys) ? $keys : [];
     }
+
+    /**
+     * Serialize tracked-key mutations so concurrent warmups do not drop entries.
+     */
+    private function withTrackedPermissionKeysLock(callable $callback): mixed
+    {
+        return Cache::lock(
+            self::TRACKED_PERMISSION_KEYS_LOCK,
+            self::TRACKED_PERMISSION_KEYS_LOCK_SECONDS
+        )->block(self::TRACKED_PERMISSION_KEYS_LOCK_WAIT_SECONDS, $callback);
+    }
 }
diff --git a/tests/Feature/PermissionCacheInvalidationTest.php b/tests/Feature/PermissionCacheInvalidationTest.php
@@ -4,6 +4,11 @@
 
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Redis;
+use Laravel\Passport\Passport;
+use ProcessMaker\Models\Group;
+use ProcessMaker\Models\GroupMember;
 use ProcessMaker\Models\Permission;
 use ProcessMaker\Models\User;
 use ProcessMaker\Services\PermissionServiceManager;
@@ -23,7 +28,7 @@ protected function setUp(): void
         // Ensure the user is created by the trait
         if (!$this->user) {
             $this->user = User::factory()->create([
-                'password' => \Illuminate\Support\Facades\Hash::make('password'),
+                'password' => Hash::make('password'),
                 'is_administrator' => true,
             ]);
         }
@@ -114,4 +119,65 @@ public function test_permission_cache_is_invalidated_when_user_permissions_remov
         $this->assertContains('permission-1', $freshPermissions);
         $this->assertNotContains('permission-2', $freshPermissions);
     }
+
+    public function test_group_permission_update_does_not_logout_redis_backed_session()
+    {
+        $this->ensureRedisSessionAndCacheAreAvailable();
+
+        $originalPermission = Permission::factory()->create(['name' => 'redis-group-permission']);
+        Permission::factory()->create(['name' => 'redis-group-permission-updated']);
+        $group = Group::factory()->create(['name' => 'Redis Permission Group']);
+        $affectedUser = User::factory()->create([
+            'password' => Hash::make('password'),
+            'is_administrator' => false,
+        ]);
+
+        GroupMember::factory()->create([
+            'group_id' => $group->id,
+            'member_type' => User::class,
+            'member_id' => $affectedUser->id,
+        ]);
+
+        $group->permissions()->sync([$originalPermission->id]);
+
+        $this->permissionService->warmUpUserCache($affectedUser->id);
+
+        $cachedPermissions = Cache::get("user_permissions:{$affectedUser->id}");
+        $this->assertNotNull($cachedPermissions);
+        $this->assertContains('redis-group-permission', $cachedPermissions);
+
+        $this->actingAs($this->user, 'web')
+            ->post(route('keep-alive'))
+            ->assertNoContent();
+
+        Passport::actingAs($this->user);
+
+        $this->json('PUT', '/api/1.0/permissions', [
+            'group_id' => $group->id,
+            'permission_names' => ['redis-group-permission-updated'],
+        ])->assertNoContent();
+
+        $this->post(route('keep-alive'))->assertNoContent();
+        $this->assertAuthenticatedAs($this->user, 'web');
+
+        $freshPermissions = $this->permissionService->getUserPermissions($affectedUser->id);
+        $this->assertContains('redis-group-permission-updated', $freshPermissions);
+        $this->assertNotContains('redis-group-permission', $freshPermissions);
+    }
+
+    private function ensureRedisSessionAndCacheAreAvailable(): void
+    {
+        config()->set('cache.default', 'redis');
+        config()->set('session.driver', 'redis');
+        config()->set('session.connection', 'default');
+
+        try {
+            Redis::connection('default')->ping();
+            Redis::connection('cache')->ping();
+        } catch (\Throwable $e) {
+            $this->markTestSkipped(
+                'Redis is not available for the permission cache invalidation regression test: ' . $e->getMessage()
+            );
+        }
+    }
 }
diff --git a/tests/Model/UserTest.php b/tests/Model/UserTest.php
@@ -130,4 +130,19 @@ public function testAddCategoryViewPermissions()
         $testFor('screen', 'screens');
         $testFor('script', 'scripts');
     }
+
+    public function testRefreshInvalidatesBothPermissionCacheFamilies()
+    {
+        $user = User::factory()->create(['password' => Hash::make('password')]);
+
+        Cache::put("user_permissions:{$user->id}", ['cached'], 3600);
+        Cache::put("user_{$user->id}_permissions", ['legacy'], 3600);
+        Cache::put('unrelated-cache-key', 'keep-me', 3600);
+
+        $user->refresh();
+
+        $this->assertNull(Cache::get("user_permissions:{$user->id}"));
+        $this->assertNull(Cache::get("user_{$user->id}_permissions"));
+        $this->assertSame('keep-me', Cache::get('unrelated-cache-key'));
+    }
 }
diff --git a/tests/unit/ProcessMaker/Services/PermissionCacheServiceTest.php b/tests/unit/ProcessMaker/Services/PermissionCacheServiceTest.php
@@ -203,6 +203,42 @@ public function test_clear_all_clears_legacy_user_permission_cache_only_when_tra
         $this->assertSame('keep-me', Cache::get('unrelated-cache-key'));
     }
 
+    /**
+     * Test that tracked permission keys include every managed cache entry.
+     */
+    public function test_tracked_permission_keys_include_all_managed_cache_entries()
+    {
+        $this->cacheService->cacheUserPermissions($this->userId, $this->userPermissions);
+        $this->cacheService->putLegacyUserPermissions($this->userId, $this->userPermissions, 3600);
+        $this->cacheService->cacheGroupPermissions($this->groupId, $this->groupPermissions);
+
+        $trackedKeys = Cache::get('permission_cache_keys');
+
+        $this->assertIsArray($trackedKeys);
+        $this->assertContains("user_permissions:{$this->userId}", $trackedKeys);
+        $this->assertContains("user_{$this->userId}_permissions", $trackedKeys);
+        $this->assertContains("group_permissions:{$this->groupId}", $trackedKeys);
+    }
+
+    /**
+     * Test that tracked permission keys are pruned when a user cache is invalidated.
+     */
+    public function test_invalidate_user_permissions_removes_only_user_keys_from_tracked_index()
+    {
+        $this->cacheService->cacheUserPermissions($this->userId, $this->userPermissions);
+        $this->cacheService->putLegacyUserPermissions($this->userId, $this->userPermissions, 3600);
+        $this->cacheService->cacheGroupPermissions($this->groupId, $this->groupPermissions);
+
+        $this->cacheService->invalidateUserPermissions($this->userId);
+
+        $trackedKeys = Cache::get('permission_cache_keys');
+
+        $this->assertIsArray($trackedKeys);
+        $this->assertNotContains("user_permissions:{$this->userId}", $trackedKeys);
+        $this->assertNotContains("user_{$this->userId}_permissions", $trackedKeys);
+        $this->assertContains("group_permissions:{$this->groupId}", $trackedKeys);
+    }
+
     /**
      * Test that cache keys are generated correctly
      */
