When I create a view with all registrations, all the registrations are visible also to non-authorized users.

I would expect that if the Drupal core permission settings say that i.e. only authenticated users can only view their own registrations, these settings would also apply to a view.

In my case I have a view for a user with all his registrations (i.e. /user/23/registrations) based on contextual filtering. But when this user changes the user-id in the url he can see the registrations of others. Even anonymous users can see them. I could prevent anonymous users access by the views access settings. But I can't deny other users access to other user's registrations.

Comments

ecvandenberg’s picture

ecvandenberg CreditAttribution: ecvandenberg commented

When I check the payment module the have a special access restriction in Views called: "People with the View any payment permission and people who own the payments". That does the job.

nrackleff’s picture

nrackleff CreditAttribution: nrackleff commented
Status: Active » Closed (works as designed)

Closing this ecvandenberg since it looks like you figured a way to get the desired behavior.

ecvandenberg’s picture

ecvandenberg CreditAttribution: ecvandenberg commented

I don't think you should close this issue because I think this is unexpected behaviour that might lead to a security breach a site developer does not expect. So does not check. Which would be naive perhaps...

I solved it with a rule that compares the requested URL with the current user name. And if the match is false I redirect the user to a faked Access denied page.