Problem/Motivation

The results view has no permission set by default, while the my results has a wrong permission set on it.

Steps to reproduce

Install the module.

Proposed resolution

My results should have at least "View own quiz results" permission on it or it would be best a separate them as mentioned in another issue, while the Results view should have "View any quiz results" permission on it.

Remaining tasks

Implement.

User interface changes

-

API changes

-

Data model changes

-

Comments

golddragon007 created an issue. See original summary.

golddragon007’s picture

golddragon007 commented
Related issues: +#3278359: Separate permission to access my results overview page from view my results permission
djdevin’s picture

djdevin
he/him
Primary language English
Location Philadelphia
commented

I don't think "not protected" is correct, is it?

I'm not able to access /quiz/1/results as anon. I have to be logged in and have access to edit the Quiz.

golddragon007’s picture

golddragon007 commented

It is because you can't see the entities, but that does not mean the view itself is not rendered. You can put static text or any other text in the header/footer, which can be still rendered on the empty view.

No permission set: https://git.drupalcode.org/project/quiz/-/blob/8.x-6.x/config/install/vi...
Wrong permission set: https://git.drupalcode.org/project/quiz/-/blob/8.x-6.x/config/install/vi...

You can't see the results as anonymous because the results itself is protected by the entity's permission, but a protected view would give you a 403 error and it wouldn't be displayed to the user if he has no rights to access it. Also, it can happen that by mistake another module alters the entity permission wrongly and it will be rendered by the view. The general rule for me is that views always have to have permissions set as a second-line defence as it makes it harder to dump out something inappropriate.

djdevin’s picture

djdevin
he/him
Primary language English
Location Philadelphia
commented

Sorry, I was referencing the wrong view. We can update the permissions.

smustgrave’s picture

smustgrave commented
Version: 6.x-dev » 7.0.x-dev
Status: Active » Needs work

  • smustgrave committed 5c1c3a74 on 7.0.x 
    Issue #3278360 by golddragon007, djdevin, smustgrave: Results and my...
smustgrave’s picture

smustgrave commented
Status: Needs work » Fixed

Updated permissions.

Thanks all!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.