created a new profile field from account settings (core). The type is entity reference with a checkbox widget being used. It is referencing content type A as follows:

target type = node
mode = simple
content type a selected under target bundles
sorted by title

works great for admin but the only way I could get it viewable by authenticated users was to grant them the following permission

Bypass content access control
View, edit and delete all content regardless of permission restrictions. Warning: Give to trusted roles only; this permission has security implications.

Troubleshooting I selected every single permission but that one and still authenticated users could not see the profile field.

Comments

gwalliman’s picture

gwalliman CreditAttribution: gwalliman commented

I'm having the same problem in 7.x-10. Does anyone know how to fix this?

bletch’s picture

bletch CreditAttribution: bletch commented
Version: 7.x-1.x-dev » 7.x-1.0-rc5

I have the same issue with 7.x-1.0 - field values only display for user with administrator role. Occurs on a number of page types including:

1. Views outputs
2. Standard node pages

All are configured as autocomplete entity reference fields.

There is an interesting caveat, this only happens for fields that reference a user entity. If the user referenced is the SAME as the logged in user, then the value displays. I have, on the same content type, entity reference fields that reference a node. These appear as expected. But any entity reference field that references a user who is not the currently logged in user does not display.

The issue is only with the display. The logged in user can edit the fields fine, they just cannot see them.

I am using field permissions module to manage the permissions. On all entity reference fields, the roles that cannot see the values are given permission to:

Create own value for field xxxxx
Edit anyone's value for field xxxxxx
View anyone's value for field xxxxxx

Any ideas?

asherry’s picture

asherry CreditAttribution: asherry commented
Version: 7.x-1.0-rc5 » 7.x-1.0
Priority: Normal » Major

I'm going to bump this up as this is still an issue in the 1.0 release. We have a view with a relation set to the entity referenced by a particular field, (entity reference field) and all non-admins are blocked from seeing this content.

gghh2’s picture

gghh2 CreditAttribution: gghh2 commented

I have the same issue, with a normal view that just have a display with a reference. In Drupal Commerce they have the same issue with products.

Anonymous can't see the content even if they have rights to access all content.
Best regards !

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented
Version: 7.x-1.0 » 7.x-1.x-dev

I have the same issue and it is not limited to an entity referencing users.
Just like reported here ( https://drupal.org/node/2113919 ) it is happening with entity referencing nodes too.
+1 asking a solution!

By the way, the last dev (7.x-1.0+8-dev) has the issue.

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented
Priority: Major » Critical
xqbzzr’s picture

xqbzzr CreditAttribution: xqbzzr commented

+1

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Priority: Critical » Normal
Status: Active » Postponed (maintainer needs more info)

Could anyone extract the query generated by one of the affected Views?

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented

Hi.

In my case the query is below.

SELECT node.type AS node_type, node.nid AS nid, node.title AS node_title, field_data_field_sel_not_galeria.delta AS field_data_field_sel_not_galeria_delta, field_data_field_sel_not_destaque.delta AS field_data_field_sel_not_destaque_delta, node_revision.timestamp AS node_revision_timestamp, 'node' AS field_data_field_noticias_imagem_node_entity_type, 'node' AS field_data_field_notext_link_node_entity_type, 'node' AS field_data_body_node_entity_type
FROM
{node} node
LEFT JOIN {field_data_field_sel_not_galeria} field_data_field_sel_not_galeria ON node.nid = field_data_field_sel_not_galeria.field_sel_not_galeria_target_id
LEFT JOIN {node} field_sel_not_galeria_node ON field_data_field_sel_not_galeria.entity_id = field_sel_not_galeria_node.nid
LEFT JOIN {field_data_field_sel_not_destaque} field_data_field_sel_not_destaque ON node.nid = field_data_field_sel_not_destaque.field_sel_not_destaque_target_id
LEFT JOIN {node} field_sel_not_destaque_node ON field_data_field_sel_not_destaque.entity_id = field_sel_not_destaque_node.nid
LEFT JOIN {node_revision} node_revision ON node.vid = node_revision.vid
WHERE (( (node.status = '1') AND (node.type IN ('noticias', 'noticias_externas')) ))
ORDER BY field_data_field_sel_not_galeria_delta ASC, field_data_field_sel_not_destaque_delta ASC, node_revision_timestamp DESC
LIMIT 10 OFFSET 0

What I have is a sequence of nodes that hold 'news' for my site.
There are two types of news: internal and external (content types 'noticias' and 'noticias_eternas').
There are two places to show news: 'galeria' and 'destaque'.
This view in particular is a third place where we show a list of all news ordered by: 1 - news in 'galeria', 2 - news in 'destaque', 3 - node update date for all the others news.

The view works perfectly for "user 1" - the superuser.

The view doesn't work for anonymous user (empty result).

We have two similar views to show the news at 'galeria' and at 'destaque' blocks and both are working.
There is a difference between this view and the others two: the relationship.
It works if it is 'mandatory'.
It doesn't work when it is not mandatory.

It is basically what is reported here: https://drupal.org/node/2113919

I believe there is not a problem in the query but in the record's post processor.

Regards,
Gilsberty

kari.nies’s picture

kari.nies CreditAttribution: kari.nies commented

Same problem. I have a simple photo album where the album cover is an entity reference to a photo node.

My problem is that albums where the cover has not been selected (where the reference is unset) are getting filtered from views for anonymous and non-admin users. The "require this relationship" option is UNCHECKED for the album cover relationship in my view, but album nodes without cover references are getting filtered from the view listing. All album nodes are listing for admins only. If I edit an album to select a photo cover, the albums shows up in the view listing for non-admins.

I've spent most of the afternoon chasing down potential permission problems, but the problem seems to be with the entity reference relationship in my view.
The problem seems to be that the "require this relationship" option is ignored (always true) when the view is presented to a non-admin.

May have to try switching to the References module to see if this fixes the problem. Has anyone tried that?

kari.nies’s picture

kari.nies CreditAttribution: kari.nies commented

This is the query that I was able to obtain from my view, but this is as admin, so it would be giving the correct listing. I'm not sure if it would differ for a non-admin.

SELECT node.nid AS nid, node.title AS node_title, node_field_data_field_album_cover.nid AS node_field_data_field_album_cover_nid, node.sticky AS node_sticky, node.created AS node_created, 'node' AS field_data_field_photo_node_entity_type
FROM
{node} node
LEFT JOIN {field_data_field_album_cover} field_data_field_album_cover ON node.nid = field_data_field_album_cover.entity_id AND (field_data_field_album_cover.entity_type = 'node' AND field_data_field_album_cover.deleted = '0')
LEFT JOIN {node} node_field_data_field_album_cover ON field_data_field_album_cover.field_album_cover_target_id = node_field_data_field_album_cover.nid
WHERE (( (node.status = '1') AND (node.type IN ('album')) ))
ORDER BY node_sticky DESC, node_created DESC
LIMIT 12 OFFSET 0

kari.nies’s picture

kari.nies CreditAttribution: kari.nies commented

Well, I this is interesting.... I installed the References module and used a node reference in place of an entity reference for my album cover and I am seeing the exact same behavior.

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented

#12: Ouch... no way out then!

Lets wait for Damien Tournoud's analysis.
I'm sure he is trying to find a solution.

Regards,
Gilsberty

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented

Hi.

The issue https://drupal.org/node/1349080 might be the reason for our problems?

If yes then the patch for D7 is almost complete.
Maybe we could join forces and finish it.

Regards,
Gilsberty

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Issue summary: View changes
Status: Postponed (maintainer needs more info) » Closed (duplicate)

The queries (before access control) look correct, so this is not an Entity Reference issue. Let's track the access control issue in #1349080: node_access filters out accessible nodes when node is left joined.

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented

I made a test using the new patch at #134980, comment #149 and if the patch is correct then this issue is not related with the access control issue!

gopal6988’s picture

gopal6988 CreditAttribution: gopal6988 commented

Any update on this, i am having the same problem cant able to resolve.

gilsbert’s picture

gilsbert CreditAttribution: gilsbert commented

Hi.

The patch at https://drupal.org/node/1349080 - comment #149 is avaliable for D7.

It didn't work for me but it seems to be a problem specific with the layer for my database (postgresql).

Please try the patch and report the results for us.

Regards,
Gilsberty

gopal6988’s picture

gopal6988 CreditAttribution: gopal6988 commented

Any update on this