FOUR-29436: track legacy permission cache keys

Author: eiresendez

ProcessMaker/Http/Controllers/Auth/LoginController.php

@@ -16,6 +16,7 @@
 use ProcessMaker\Models\Setting;
 use ProcessMaker\Models\User;
 use ProcessMaker\Package\Auth\Database\Seeds\AuthDefaultSeeder;
+use ProcessMaker\Services\PermissionCacheService;
 use ProcessMaker\Traits\HasControllerAddons;
 
 class LoginController extends Controller
@@ -262,7 +263,7 @@ public function beforeLogout(Request $request)
 
             //Clear the user permissions
             $userId = Auth::user()->id;
-            Cache::forget("user_{$userId}_permissions");
+            app(PermissionCacheService::class)->forgetLegacyUserPermissions($userId);
             Cache::forget("user_{$userId}_project_assets");
 
             // Clear the user session
@@ -364,9 +365,13 @@ public function login(Request $request, User $user)
                 return redirect()->route('password.change');
             }
             // Cache user permissions for a day to improve performance
-            Cache::remember("user_{$user->id}_permissions", 86400, function () use ($user) {
-                return $user->permissions()->pluck('name')->toArray();
-            });
+            app(PermissionCacheService::class)->rememberLegacyUserPermissions(
+                $user->id,
+                86400,
+                function () use ($user) {
+                    return $user->permissions()->pluck('name')->toArray();
+                }
+            );
 
             $this->setupLanguage($request, $user);
 

ProcessMaker/Http/Middleware/CustomAuthorize.php

@@ -7,7 +7,6 @@
 use Illuminate\Auth\Middleware\Authorize as Middleware;
 use Illuminate\Http\Request;
 use Illuminate\Support\Arr;
-use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Str;
@@ -16,6 +15,7 @@
 use ProcessMaker\Models\Screen;
 use ProcessMaker\Models\Script;
 use ProcessMaker\Models\User;
+use ProcessMaker\Services\PermissionCacheService;
 use ProcessMaker\Traits\ProjectAssetTrait;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -94,9 +94,13 @@ private function userHasAccessToProject($request, $userId, $models)
 
     private function getUserPermissions($user)
     {
-        return Cache::remember("user_{$user->id}_permissions", 86400, function () use ($user) {
-            return $user->permissions()->pluck('name')->toArray();
-        });
+        return app(PermissionCacheService::class)->rememberLegacyUserPermissions(
+            $user->id,
+            86400,
+            function () use ($user) {
+                return $user->permissions()->pluck('name')->toArray();
+            }
+        );
     }
 
     private function hasPermission($userPermissions, $permission)

ProcessMaker/Http/Middleware/IsManager.php

@@ -6,6 +6,7 @@
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Log;
+use ProcessMaker\Services\PermissionCacheService;
 use Symfony\Component\HttpFoundation\Response;
 
 class IsManager
@@ -76,12 +77,11 @@ private function simulateRequiredPermissionsForRequest($user, array $requiredPer
             }
 
             // simulate the permissions by adding them temporarily to the cache of permissions
-            $cacheKey = "user_{$user->id}_permissions";
             $simulatedPermissions = array_merge($currentPermissions, $permissionsToAdd);
 
             // save in cache temporarily (only for this request)
             // use a very short time to expire quickly if not cleaned manually
-            Cache::put($cacheKey, $simulatedPermissions, 5); // 5 segundos como fallback
+            app(PermissionCacheService::class)->putLegacyUserPermissions($user->id, $simulatedPermissions, 5);
         } catch (\Exception $e) {
             Log::error('IsManager middleware - Error simulating permissions: ' . $e->getMessage());
         }
@@ -93,10 +93,8 @@ private function simulateRequiredPermissionsForRequest($user, array $requiredPer
     private function cleanupSimulatedPermission($user)
     {
         try {
-            $cacheKey = "user_{$user->id}_permissions";
-
             // delete the cache to force the reload of real permissions
-            Cache::forget($cacheKey);
+            app(PermissionCacheService::class)->forgetLegacyUserPermissions($user->id);
         } catch (\Exception $e) {
             Log::error('IsManager middleware - Error cleaning up simulated permissions: ' . $e->getMessage());
         }

ProcessMaker/Models/User.php

@@ -591,7 +591,7 @@ public function refresh()
 
         // Clear permissions and user_permissions
         Cache::forget('permissions');
-        Cache::forget("user_{$this->id}_permissions");
+        app(\ProcessMaker\Services\PermissionCacheService::class)->forgetLegacyUserPermissions($this->id);
 
         // return the refreshed user instance
         return $this;

ProcessMaker/Services/PermissionCacheService.php

@@ -102,6 +102,57 @@ public function invalidateUserPermissions(int $userId): void
         }
     }
 
+    /**
+     * Remember legacy user permissions and track the key for scoped clearAll().
+     */
+    public function rememberLegacyUserPermissions(int $userId, int $ttl, callable $callback): array
+    {
+        $key = $this->getLegacyUserPermissionsKey($userId);
+
+        try {
+            $permissions = Cache::remember($key, $ttl, $callback);
+            $this->trackPermissionKey($key);
+
+            return is_array($permissions) ? $permissions : [];
+        } catch (\Exception $e) {
+            Log::warning("Failed to remember legacy user permissions for user {$userId}: " . $e->getMessage());
+
+            $permissions = $callback();
+
+            return is_array($permissions) ? $permissions : [];
+        }
+    }
+
+    /**
+     * Cache legacy user permissions and track the key for scoped clearAll().
+     */
+    public function putLegacyUserPermissions(int $userId, array $permissions, int $ttl): void
+    {
+        $key = $this->getLegacyUserPermissionsKey($userId);
+
+        try {
+            Cache::put($key, $permissions, $ttl);
+            $this->trackPermissionKey($key);
+        } catch (\Exception $e) {
+            Log::warning("Failed to cache legacy user permissions for user {$userId}: " . $e->getMessage());
+        }
+    }
+
+    /**
+     * Forget the legacy user permission cache and remove it from the tracked index.
+     */
+    public function forgetLegacyUserPermissions(int $userId): void
+    {
+        $key = $this->getLegacyUserPermissionsKey($userId);
+
+        try {
+            Cache::forget($key);
+            $this->untrackPermissionKey($key);
+        } catch (\Exception $e) {
+            Log::warning("Failed to forget legacy user permissions for user {$userId}: " . $e->getMessage());
+        }
+    }
+
     /**
      * Invalidate group permissions cache
      */

ProcessMaker/Traits/HasAuthorization.php

@@ -2,10 +2,10 @@
 
 namespace ProcessMaker\Traits;
 
-use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Log;
 use ProcessMaker\Models\Group;
 use ProcessMaker\Models\Permission;
+use ProcessMaker\Services\PermissionCacheService;
 use ProcessMaker\Services\PermissionServiceManager;
 
 trait HasAuthorization
@@ -33,9 +33,13 @@ public function loadPermissions()
     public function loadUserPermissions()
     {
         $user = $this;
-        $permissions = Cache::remember("user_{$user->id}_permissions", 86400, function () use ($user) {
-            return $user->permissions()->pluck('name')->toArray();
-        });
+        $permissions = app(PermissionCacheService::class)->rememberLegacyUserPermissions(
+            $user->id,
+            86400,
+            function () use ($user) {
+                return $user->permissions()->pluck('name')->toArray();
+            }
+        );
 
         return $this->addCategoryViewPermissions($permissions);
     }

tests/unit/ProcessMaker/Services/PermissionCacheServiceTest.php

@@ -126,7 +126,7 @@ public function test_invalidate_user_permissions_clears_cache_correctly()
     {
         // Cache user permissions
         $this->cacheService->cacheUserPermissions($this->userId, $this->userPermissions);
-        Cache::put("user_{$this->userId}_permissions", $this->userPermissions, 3600);
+        $this->cacheService->putLegacyUserPermissions($this->userId, $this->userPermissions, 3600);
 
         // Verify cache exists
         $this->assertNotNull(Cache::get("user_permissions:{$this->userId}"));
@@ -165,22 +165,44 @@ public function test_clear_all_clears_all_permission_caches()
     {
         // Cache both user and group permissions
         $this->cacheService->cacheUserPermissions($this->userId, $this->userPermissions);
+        $this->cacheService->putLegacyUserPermissions($this->userId, $this->userPermissions, 3600);
         $this->cacheService->cacheGroupPermissions($this->groupId, $this->groupPermissions);
         Cache::put('unrelated-cache-key', 'keep-me', 3600);
 
         // Verify both caches exist
         $this->assertNotNull(Cache::get("user_permissions:{$this->userId}"));
+        $this->assertNotNull(Cache::get("user_{$this->userId}_permissions"));
         $this->assertNotNull(Cache::get("group_permissions:{$this->groupId}"));
 
         // Clear all caches
         $this->cacheService->clearAll();
 
         // Verify both caches were cleared
         $this->assertNull(Cache::get("user_permissions:{$this->userId}"));
+        $this->assertNull(Cache::get("user_{$this->userId}_permissions"));
         $this->assertNull(Cache::get("group_permissions:{$this->groupId}"));
         $this->assertSame('keep-me', Cache::get('unrelated-cache-key'));
     }
 
+    /**
+     * Test that clearAll clears tracked legacy permission caches without touching unrelated cache.
+     */
+    public function test_clear_all_clears_legacy_user_permission_cache_only_when_tracked()
+    {
+        $permissions = $this->cacheService->rememberLegacyUserPermissions($this->userId, 3600, function () {
+            return $this->userPermissions;
+        });
+        Cache::put('unrelated-cache-key', 'keep-me', 3600);
+
+        $this->assertEquals($this->userPermissions, $permissions);
+        $this->assertNotNull(Cache::get("user_{$this->userId}_permissions"));
+
+        $this->cacheService->clearAll();
+
+        $this->assertNull(Cache::get("user_{$this->userId}_permissions"));
+        $this->assertSame('keep-me', Cache::get('unrelated-cache-key'));
+    }
+
     /**
      * Test that cache keys are generated correctly
      */

tests/unit/ProcessMaker/Traits/HasAuthorizationTest.php

@@ -3,9 +3,11 @@
 namespace Tests\Unit\ProcessMaker\Traits;
 
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Cache;
 use ProcessMaker\Models\Group;
 use ProcessMaker\Models\Permission;
 use ProcessMaker\Models\User;
+use ProcessMaker\Services\PermissionCacheService;
 use Tests\TestCase;
 
 class HasAuthorizationTest extends TestCase
@@ -66,6 +68,25 @@ public function test_load_permissions_works_correctly()
         $this->assertTrue($this->user->hasPermission('test-permission'));
     }
 
+    /**
+     * Test that legacy permission caches written by the trait are tracked for clearAll().
+     */
+    public function test_load_user_permissions_registers_legacy_cache_for_clear_all()
+    {
+        $this->user->permissions()->attach($this->permission->id);
+        Cache::put('unrelated-cache-key', 'keep-me', 3600);
+
+        $permissions = $this->user->loadUserPermissions();
+
+        $this->assertContains('test-permission', $permissions);
+        $this->assertNotNull(Cache::get("user_{$this->user->id}_permissions"));
+
+        app(PermissionCacheService::class)->clearAll();
+
+        $this->assertNull(Cache::get("user_{$this->user->id}_permissions"));
+        $this->assertSame('keep-me', Cache::get('unrelated-cache-key'));
+    }
+
     /**
      * Test that invalidatePermissionCache works correctly
      */