A 'link' field allows users to either enter an external link or use autocomplete for an existing entity in the system. If a user enters an autocompleted node with restricted access into a link field (entity reference - not a hardcoded path), the link will still print.
Consider the following:
- Clean D8 install - create a custom block_content block with one 'link' field with unlimited cardinality
- Add two 'Articles' - one published, one unpublished
- Add both articles to your new block_content block just created
- Place the block
- Note both articles print
Ideally this would work like the entity reference field, and when we know we have a entity ref to a node, access would be respected for those.
I tried searching issue queue for similar report (thought there may be some history behind this issue), but didn't find anything. Apologies if this is a duplicate.
Comment | File | Size | Author |
---|---|---|---|
#20 | drupal-link-entity-access-2968609-20.patch | 11.77 KB | codebymikey |
#16 | interdiff_14-15.txt | 4.98 KB | codebymikey |
#15 | drupal-link-entity-access-2968609-15.patch | 11.5 KB | codebymikey |
Issue fork drupal-2968609
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
trwill CreditAttribution: trwill commentedComment #3
trwill CreditAttribution: trwill commentedAny thoughts?
Comment #5
dpagini CreditAttribution: dpagini as a volunteer commentedAdding a (hopefully) failing test to demonstrate the expected behavior.
Comment #6
dpagini CreditAttribution: dpagini as a volunteer commentedComment #9
quietone CreditAttribution: quietone as a volunteer commentedComment #10
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedComment #12
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedComment #14
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedUpdated patch to take into account unrouted URLs.
Comment #15
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedEnsure the entity access check also applies on plain text links.
Comment #16
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedComment #17
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedUploading a patch that allows HTML artifacts to be displayed on DrupalCI.
The current implementation of DrupalCI is unable to sufficiently copy the assets into the appropriate directories since there are a lot of generated files.
Comment #20
codebymikey CreditAttribution: codebymikey at Zodiac Media commentedUpdated the variables so that it doesn't accidentally overwrite the original
$entity
variable retrieved fromFieldItemListInterface $items