A 'link' field allows users to either enter an external link or use autocomplete for an existing entity in the system. If a user enters an autocompleted node with restricted access into a link field (entity reference - not a hardcoded path), the link will still print.

Consider the following:
- Clean D8 install - create a custom block_content block with one 'link' field with unlimited cardinality
- Add two 'Articles' - one published, one unpublished
- Add both articles to your new block_content block just created
- Place the block
- Note both articles print

Ideally this would work like the entity reference field, and when we know we have a entity ref to a node, access would be respected for those.

I tried searching issue queue for similar report (thought there may be some history behind this issue), but didn't find anything. Apologies if this is a duplicate.

CommentFileSizeAuthor
#20 drupal-link-entity-access-2968609-20.patch11.77 KBcodebymikey
#17 drupal-link-entity-access-2968609-17-LINK-FUNCTIONAL-TEST-ONLY.patch12.78 KBcodebymikey
#16 interdiff_14-15.txt4.98 KBcodebymikey
#15 drupal-link-entity-access-2968609-15.patch11.5 KBcodebymikey
#14 drupal-link-entity-access-2968609-14.patch11.52 KBcodebymikey
#12 drupal-link-entity-access-2968609-12.patch11.5 KBcodebymikey
#6 2968609-6.patch3.69 KBdpagini
#5 2968609-5.patch3.71 KBdpagini

Issue fork drupal-2968609

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

trwill created an issue. See original summary.

trwill’s picture

trwill CreditAttribution: trwill commented
Issue summary: View changes
trwill’s picture

trwill CreditAttribution: trwill commented

Any thoughts?

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

dpagini’s picture

dpagini CreditAttribution: dpagini as a volunteer commented
FileSize
2968609-5.patch3.71 KB

Adding a (hopefully) failing test to demonstrate the expected behavior.

dpagini’s picture

dpagini CreditAttribution: dpagini as a volunteer commented
FileSize
2968609-6.patch3.69 KB

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

quietone’s picture

quietone CreditAttribution: quietone as a volunteer commented
Component: field system » link.module
codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
Version: 8.9.x-dev » 9.3.x-dev

codebymikey opened merge request !1313

codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
Status: Active » Needs review
FileSize
drupal-link-entity-access-2968609-12.patch11.5 KB

Status: Needs review » Needs work

The last submitted patch, 12: drupal-link-entity-access-2968609-12.patch, failed testing. View results

codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
FileSize
drupal-link-entity-access-2968609-14.patch11.52 KB

Updated patch to take into account unrouted URLs.

codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
FileSize
drupal-link-entity-access-2968609-15.patch11.5 KB

Ensure the entity access check also applies on plain text links.

codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
FileSize
interdiff_14-15.txt4.98 KB
codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
FileSize
drupal-link-entity-access-2968609-17-LINK-FUNCTIONAL-TEST-ONLY.patch12.78 KB

Uploading a patch that allows HTML artifacts to be displayed on DrupalCI.

The current implementation of DrupalCI is unable to sufficiently copy the assets into the appropriate directories since there are a lot of generated files.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

codebymikey’s picture

codebymikey CreditAttribution: codebymikey at Zodiac Media commented
FileSize
drupal-link-entity-access-2968609-20.patch11.77 KB

Updated the variables so that it doesn't accidentally overwrite the original $entity variable retrieved from FieldItemListInterface $items

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.