Updated: Comment #161
When two node tables are left joined then access checks prevent access to the node when nothing is matched in the table on the right-hand side of the join.
Access should be granted when nothing is matched in the right-hand side (and the node on the left-hand side is permitted).
See the test in the patch to reproduce, or more manually in D7:
1. install Entityreference and Views,
2. create a field referencing nodes (using entityreference),
3. create a node having the entityreference field empty,
4. create a View with a optional relationship using the entityreference field,
5. for regular users the View will not return the node.
(Description of the proposed solution, the rationale behind it, and workarounds for people who cannot use the patch.)
If we are looking at a joined table, add the node access check to the join condition.
So that we are only restricting access, if we are actually access something.
Bring the test up to speed with core.
Address placeholder token name collision when node table is joined twice or more (e.g. node appears at least 3 times in a query).
In Postgres with 3 node tables and a count query, placeholders are getting inserted in the wrong sequence. (At least in D7 -- have not confirmed D8)
Address issue of node access with a type of "entity" -- no known cases where this bug is triggered, recommend creating new issue.
User interface changes
\Drupal\node\NodeGrantDatabaseStorageInterface->alterQuery makes changes in its tables parameter. (not sure what this is referring to...)
No API changes -- this patch changes how the query is altered when enforcing node access to correctly alter queries with multiple node tables.
Original report by [username]
I'm loving the Entity Reference module, but I've come across some weird behavior. It's probably just something I've missed setting.
I have a content type called Album. I've got another content type called Review which has an entity reference to Album.
I've created a View which lists Albums. I wanted to include some fields from my Review content type, but I still want to list each Album, even if a review referencing the album has not been created yet.
In my view, under Relationships, I add an "Entity Reference: Referencing entity" relationship. I make sure "Require this relationship" is NOT checked.
When I'm logged in as an administrator, all Albums are returned, as expected. But when I'm not logged in, or I'm logged in as a regular user, only albums that are referenced by a review are displayed. I'm really puzzled as to why I get different results depending on my user role.
I get the same results regardless of if I add fields from the Review content type or not. I've tried clearing the cache multiple times, and I've tried checking and unchecking the "Require this relationship" box. I've deleted the relationship and tried adding it again, but I always get the same results.
|PASSED: [[SimpleTest]]: [MySQL] 41,483 pass(es).|
|FAILED: [[SimpleTest]]: [MySQL] 41,146 pass(es), 1 fail(s), and 0 exception(s).|
|FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] Unable to apply patch 1349080-195-d7-move-access-to-join-condition.patch. Unable to apply patch. See the log in the details link for more information.|