FOUR-29436: Unexpected logout when clicking SAVE in Group Permissions

ProcessMaker/Contracts/PermissionRepositoryInterface.php

@@ -33,4 +33,9 @@ public function getGroupPermissionsById(int $groupId): array;
      * Get nested group permissions (recursive)
      */
     public function getNestedGroupPermissions(int $groupId): array;
+
+    /**
+     * Get all users affected by permissions inherited from the given group subtree.
+     */
+    public function getAffectedUserIdsForGroup(int $groupId): array;
 }

ProcessMaker/Http/Controllers/Auth/LoginController.php

@@ -16,6 +16,7 @@
 use ProcessMaker\Models\Setting;
 use ProcessMaker\Models\User;
 use ProcessMaker\Package\Auth\Database\Seeds\AuthDefaultSeeder;
+use ProcessMaker\Services\PermissionCacheService;
 use ProcessMaker\Traits\HasControllerAddons;
 
 class LoginController extends Controller
@@ -262,7 +263,7 @@ public function beforeLogout(Request $request)
 
             //Clear the user permissions
             $userId = Auth::user()->id;
-            Cache::forget("user_{$userId}_permissions");
+            app(PermissionCacheService::class)->forgetLegacyUserPermissions($userId);
             Cache::forget("user_{$userId}_project_assets");
 
             // Clear the user session
@@ -364,9 +365,13 @@ public function login(Request $request, User $user)
                 return redirect()->route('password.change');
             }
             // Cache user permissions for a day to improve performance
-            Cache::remember("user_{$user->id}_permissions", 86400, function () use ($user) {
-                return $user->permissions()->pluck('name')->toArray();
-            });
+            app(PermissionCacheService::class)->rememberLegacyUserPermissions(
+                $user->id,
+                86400,
+                function () use ($user) {
+                    return $user->permissions()->pluck('name')->toArray();
+                }
+            );
 
             $this->setupLanguage($request, $user);
 

ProcessMaker/Http/Middleware/CustomAuthorize.php

@@ -7,7 +7,6 @@
 use Illuminate\Auth\Middleware\Authorize as Middleware;
 use Illuminate\Http\Request;
 use Illuminate\Support\Arr;
-use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Str;
@@ -16,6 +15,7 @@
 use ProcessMaker\Models\Screen;
 use ProcessMaker\Models\Script;
 use ProcessMaker\Models\User;
+use ProcessMaker\Services\PermissionCacheService;
 use ProcessMaker\Traits\ProjectAssetTrait;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -94,9 +94,13 @@ private function userHasAccessToProject($request, $userId, $models)
 
     private function getUserPermissions($user)
     {
-        return Cache::remember("user_{$user->id}_permissions", 86400, function () use ($user) {
-            return $user->permissions()->pluck('name')->toArray();
-        });
+        return app(PermissionCacheService::class)->rememberLegacyUserPermissions(
+            $user->id,
+            86400,
+            function () use ($user) {
+                return $user->permissions()->pluck('name')->toArray();
+            }
+        );
     }
 
     private function hasPermission($userPermissions, $permission)

ProcessMaker/Http/Middleware/IsManager.php

@@ -6,6 +6,7 @@
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Log;
+use ProcessMaker\Services\PermissionCacheService;
 use Symfony\Component\HttpFoundation\Response;
 
 class IsManager
@@ -76,12 +77,11 @@ private function simulateRequiredPermissionsForRequest($user, array $requiredPer
             }
 
             // simulate the permissions by adding them temporarily to the cache of permissions
-            $cacheKey = "user_{$user->id}_permissions";
             $simulatedPermissions = array_merge($currentPermissions, $permissionsToAdd);
 
             // save in cache temporarily (only for this request)
             // use a very short time to expire quickly if not cleaned manually
-            Cache::put($cacheKey, $simulatedPermissions, 5); // 5 segundos como fallback
+            app(PermissionCacheService::class)->putLegacyUserPermissions($user->id, $simulatedPermissions, 5);
         } catch (\Exception $e) {
             Log::error('IsManager middleware - Error simulating permissions: ' . $e->getMessage());
         }
@@ -93,10 +93,8 @@ private function simulateRequiredPermissionsForRequest($user, array $requiredPer
     private function cleanupSimulatedPermission($user)
     {
         try {
-            $cacheKey = "user_{$user->id}_permissions";
-
             // delete the cache to force the reload of real permissions
-            Cache::forget($cacheKey);
+            app(PermissionCacheService::class)->forgetLegacyUserPermissions($user->id);
         } catch (\Exception $e) {
             Log::error('IsManager middleware - Error cleaning up simulated permissions: ' . $e->getMessage());
         }

ProcessMaker/Listeners/InvalidatePermissionCacheOnGroupHierarchyChange.php

@@ -4,8 +4,6 @@
 
 use Illuminate\Support\Facades\Log;
 use ProcessMaker\Events\GroupMembershipChanged;
-use ProcessMaker\Models\Group;
-use ProcessMaker\Models\User;
 use ProcessMaker\Services\PermissionServiceManager;
 
 class InvalidatePermissionCacheOnGroupHierarchyChange
@@ -28,9 +26,13 @@ public function handle(GroupMembershipChanged $event): void
 
             // All actions (added, removed, updated) require the same cache invalidation logic
             // because they all affect the permission hierarchy for the group and its descendants
-            $this->permissionService->invalidateAll();
+            if ($group) {
+                $this->permissionService->invalidateAffectedCachesForGroup((int) $group->id);
+            }
 
-            Log::info("Successfully invalidated permission cache for group hierarchy change: {$action} for group {$group->id}");
+            Log::info(
+                "Successfully invalidated permission cache for group hierarchy change: {$action} for group " . ($group?->id ?? 'unknown')
+            );
         } catch (\Exception $e) {
             Log::error('Failed to invalidate permission cache on group hierarchy change', [
                 'error' => $e->getMessage(),

ProcessMaker/Listeners/InvalidatePermissionCacheOnUpdate.php

@@ -28,7 +28,7 @@ public function handle(PermissionUpdated $event): void
 
             // Invalidate cache for group if group permissions were updated
             if ($event->getGroupId()) {
-                $this->permissionService->invalidateAll();
+                $this->permissionService->invalidateAffectedCachesForGroup((int) $event->getGroupId());
             }
         } catch (\Exception $e) {
             Log::error('Failed to invalidate permission cache', [

ProcessMaker/Models/User.php

@@ -591,7 +591,7 @@ public function refresh()
 
         // Clear permissions and user_permissions
         Cache::forget('permissions');
-        Cache::forget("user_{$this->id}_permissions");
+        $this->invalidatePermissionCache();
 
         // return the refreshed user instance
         return $this;

ProcessMaker/Repositories/PermissionRepository.php

@@ -183,6 +183,19 @@ public function getNestedGroupPermissions(int $groupId): array
         return array_unique($permissions);
     }
 
+    /**
+     * Get all user ids affected by permissions inherited from the given group subtree.
+     */
+    public function getAffectedUserIdsForGroup(int $groupId): array
+    {
+        $group = Group::find($groupId);
+        if (!$group) {
+            return [];
+        }
+
+        return $this->collectAffectedUserIds($group);
+    }
+
     /**
      * Get nested group permissions recursively with protection against infinite loops
      */
@@ -261,4 +274,37 @@ private function hasNestedGroupPermission(Group $group, string $permission, arra
 
         return false;
     }
+
+    /**
+     * Collect all users inside a group subtree with protection against cycles.
+     */
+    private function collectAffectedUserIds(Group $group, array $visitedGroups = [], int $maxDepth = 25): array
+    {
+        if (in_array($group->id, $visitedGroups, true) || count($visitedGroups) >= $maxDepth) {
+            return [];
+        }
+
+        if (!$group->relationLoaded('groupMembers')) {
+            $group->load('groupMembers.member');
+        }
+
+        $visitedGroups[] = $group->id;
+        $userIds = [];
+
+        foreach ($group->groupMembers as $groupMember) {
+            if ($groupMember->member_type === User::class) {
+                $userIds[] = (int) $groupMember->member_id;
+                continue;
+            }
+
+            if ($groupMember->member_type === Group::class && $groupMember->member instanceof Group) {
+                $userIds = array_merge(
+                    $userIds,
+                    $this->collectAffectedUserIds($groupMember->member, $visitedGroups, $maxDepth)
+                );
+            }
+        }
+
+        return array_values(array_unique($userIds));
+    }
 }