Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Just thought I'd mention that the default views setup is a bit risky since the views are "pages" and thus require paths. In the absence of custom access settings, any user can access /mnc/messages/1, for example, to see user 1's (admin's) notifications.
If page views with a path are still desired for whatever reason, I suppose a class mnc_access_plugin extends views_plugin_access {}
could be added that uses an access function to ensure the path user's id == logged in user's id (if not admin).
Comment | File | Size | Author |
---|---|---|---|
#4 | mnc-remove_paths_in_views-2428789-4.patch | 3.9 KB | cmonnow |
Comments
Comment #1
Andre-Bvalid point, got a patch? I also should mention that the provided views are far from perfect. I also dont like how mnc is tied to features at the moment, causes more trouble then it solves, better approach will be to import the views upon installation and do a manual export once they are in a way that they are reusable?
Comment #2
Andre-Bif this page was viewed by another user, and a unread message got marked read, this message can't be marked unread again using mark all unread (had to manually delete the flagging entries from the database). not sure why, this happens and I don't want to find out, normally no one else flags a message read for a different user than himself
Comment #3
cmonnow CreditAttribution: cmonnow commentedRight now I'm using a custom access hack but soon when I have a chance I'll try make a page to block patch. Shame that views doesn't allow this conversion. I also haven't messed around with features enough to know how reliable it is (a lot would depend on the user remembering customisations I suppose).
Regarding the second point, I believe I haven't had that issue since I implemented the first hack in the list in https://www.drupal.org/node/2263099#comment-8789259. Even with access rights fixed you need this patch for admin to view others messages.
Comment #4
cmonnow CreditAttribution: cmonnow commentedAssuming a direct path to the view is unnecessary in the foreseeable future, here's a patch that removes all 4 views paths (and changes all 'pages' to 'blocks').
Comment #5
cmonnow CreditAttribution: cmonnow commentedComment #6
Andre-Bdo you know what happens if I apply this patch to a installation that already has mnc enabled? will it break the current views/ displays and references or will it pretty much stay the same as before but without paths?
Comment #8
Andre-Bcommited. seems to work so far, I had some uncommitted rules stuff still waiting in my workspace as well. guess we can close this one here now? The other issue is really related to https://www.drupal.org/node/2263099#comment-8789259
Comment #9
Andre-BComment #10
cmonnow CreditAttribution: cmonnow commentedDid you apply the patch to an existing installation after all?
Since I have so many hacks applied to my working version from the outset I'm too afraid to try (my "playground" environments need updating). My views have already been modified so if features override I assume those modifications will be lost?
Hopefully when I get around to optimising most of my website's views with Features (which being code is apparently faster to load than initializing views) I will get more proficient with it.
Comment #11
Andre-Byes I did, that installation did not reference the view itself on any panel page whatsover, nor the view was overriden, if someone updates mnc with a newer version it should not be a problem here. unless he uses the paths. also if the view was overriden by him before the update should not break the page, but show the mnc view as overriden.
update: I also really want to remove the features integration for mnc in the future, it causes more trouble to maintain than it fixes.