Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
The results view has no permission set by default, while the my results has a wrong permission set on it.
Steps to reproduce
Install the module.
Proposed resolution
My results should have at least "View own quiz results" permission on it or it would be best a separate them as mentioned in another issue, while the Results view should have "View any quiz results" permission on it.
Remaining tasks
Implement.
User interface changes
-
API changes
-
Data model changes
-
Comments
Comment #2
golddragon007 commentedComment #3
djdevinI don't think "not protected" is correct, is it?
I'm not able to access /quiz/1/results as anon. I have to be logged in and have access to edit the Quiz.
Comment #4
golddragon007 commentedIt is because you can't see the entities, but that does not mean the view itself is not rendered. You can put static text or any other text in the header/footer, which can be still rendered on the empty view.
No permission set: https://git.drupalcode.org/project/quiz/-/blob/8.x-6.x/config/install/vi...
Wrong permission set: https://git.drupalcode.org/project/quiz/-/blob/8.x-6.x/config/install/vi...
You can't see the results as anonymous because the results itself is protected by the entity's permission, but a protected view would give you a 403 error and it wouldn't be displayed to the user if he has no rights to access it. Also, it can happen that by mistake another module alters the entity permission wrongly and it will be rendered by the view. The general rule for me is that views always have to have permissions set as a second-line defence as it makes it harder to dump out something inappropriate.
Comment #5
djdevinSorry, I was referencing the wrong view. We can update the permissions.
Comment #6
smustgrave commentedComment #8
smustgrave commentedUpdated permissions.
Thanks all!