Now anonymous user can see listing page, because he also has permission "view any {$entityTypeId} entities". Also I think we don't need show this page for users with perms: "view own {$entityTypeId} entities", because it's admin page. For this pages we have permissions "access {$entityTypeId} entity listing" and it should be enough.

CommentFileSizeAuthor
#4 eck-3050197-4.patch1.17 KBMatroskeen
#2 anon_user_shouldnt_see_listing_page-3050197-2.patch475 bytesdima.iluschenko
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dima.iluschenko created an issue. See original summary.

dima.iluschenko’s picture

dima.iluschenko
Location Malaga
CreditAttribution: dima.iluschenko at Bright Solutions GmbH commented
Status: Active » Needs review
FileSize
anon_user_shouldnt_see_listing_page-3050197-2.patch475 bytes

Attached a patch.

legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo as a volunteer commented
Status: Needs review » Needs work

tests fail

Matroskeen’s picture

Matroskeen
Primary language Ukrainian
Location 🇺🇦 Ukraine, Lutsk
CreditAttribution: Matroskeen as a volunteer and at DevBranch, Drupal Ukraine Community commented
Status: Needs work » Needs review
FileSize
eck-3050197-4.patch1.17 KB

I think the patch makes sense - view to the listing page should be controlled by "access {entity_type_id} entity listing" permission.
Here is a new one with test correction.

Let's see the test results.

  • Matroskeen committed 4d7850d on 8.x-1.x 
    Issue #3050197 by dima.iluschenko, Matroskeen: Anonymous user shouldn't...
Matroskeen’s picture

Matroskeen
Primary language Ukrainian
Location 🇺🇦 Ukraine, Lutsk
CreditAttribution: Matroskeen as a volunteer and at DevBranch, Drupal Ukraine Community commented
Status: Needs review » Fixed

Committed to 8.x-1.x.
Thanks @dima.iluschenko, @legolasbo.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.