Dear all,

I've had multiple reports of the following problem. I have not been able to reproduce the problem, but maybe we can in a collaborative effort: Field collection seems to preload server saved data the anonymous user shouldn't have access to.

Setup

  • This is a field collection that holds multiple fields: Four of type text, one of type email and one of type Country
  • It is embedded in a content type
  • I am using custom field permissions: For the field Anonymous can only create its own value, not edit own value, not edit anyone's value, view own value for the field, not view anyone's value
  • Cardinality is unlimited
  • Blank Items are hidden

Description

  • Anonymous starts to create a note
  • Anonymous fills one field of the field collection
  • Anonymous adds another field of this type
  • This field comes preloaded with content from the server.

Problem

  • The preloaded content shouldn't appear
  • The loaded content was definitely inserted from a physically different location, no browser auto-completion or caching possible

Possible Ideas

Maybe this happens, because of this? - I hope to find more ideas here in the issue queue

  • Anonymous can create a node
  • Using Field Access permissions
  • Server side caching (using standard Drupal only)

Any ideas? Thanks.

Comments

jmuzz’s picture

jmuzz commented
Status: Active » Closed (duplicate)

I think it is the "Field Access permissions." You are using the contrib field permissions module for this, correct? Unfortunately it doesn't yet work for field collections. Please reopen if these issues don't cover the problem you have in mind.

#1838976: field permissions do not work with field collection

#1954124: Fields part of field collection are ownerless

nhck’s picture

nhck commented

Whilst these issues are similar, I am not sure if they really cover the problem - or if they do and I am just misreading than the problem is much worse.

Whilst it is stated in both that the permissions are not enforced it should be possible for Anonymous to randomly get user provided data from the server should it?

jmuzz’s picture

jmuzz commented
Status: Closed (duplicate) » Active

You're right it seems strange that the data would appear preloaded in a field collection when a user adds another field collection. I can't say for sure but I no longer think it is related to the problems with the field permissions module.

Do you by any chance have "Cache pages for anonymous users" turned on in /admin/config/development/performance ?

nhck’s picture

nhck commented

Yes, this option is used, but the form cache is build using unique form-ids. I wonder if this could be retrieved in case the form_id is not correct (just because field_collection_remove_js() fiddles with it)?

jmuzz’s picture

jmuzz commented

I haven't looked closely at it yet, but I think what you saw might be related to this. #2242751: Ajax form page callback require updates for Drupal 7.27

nhck’s picture

nhck commented
Status: Active » Closed (fixed)

Since the whole problem happens during adding new fields this is probably true. This commit fixes it I think:

http://drupalcode.org/project/drupal.git/blobdiff/dc791ec5839b52c7616bf6...

So upgrading to drupal 7.27 should be encouraged especially for this module.