Currently, when a view is shown as an entity tab, this happens:

- hook_menu() calls our access callback, which just checks the 'view' entity_access() operation
- if that passes, our operation handler's page callback gets the view, and checks access to it.

That means that if a user has 'view' access, but not access to the view, they can see the tab, and load it, but all they see is blank content in the tab. This is obviously a bug.

We could get the view and check its access in the op handler's access callback, but that would mean getting the view when on any of the other entity tabs, just to check whether to show it or not. This doesn't involve running the view query, but it still feels like quite a heavy operation just to determine whether to show a tab.

Therefore, I think that it would be a good idea for the EntityOperationsOperationPageViews handler's menu_item() to examine the View, and see what access plugin it has. (This is okay to do here, since hook_menu() is an expensive operation called on cache clear only).

This is actually the same thing that Views itself does in execute_hook_menu() -- inspects the access plugin and puts its access callback into hook_menu().

Comments

joachim’s picture

Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.