When I create a view with all registrations, all the registrations are visible also to non-authorized users.
I would expect that if the Drupal core permission settings say that i.e. only authenticated users can only view their own registrations, these settings would also apply to a view.
In my case I have a view for a user with all his registrations (i.e. /user/23/registrations) based on contextual filtering. But when this user changes the user-id in the url he can see the registrations of others. Even anonymous users can see them. I could prevent anonymous users access by the views access settings. But I can't deny other users access to other user's registrations.
Comments
Comment #1
ecvandenberg CreditAttribution: ecvandenberg commentedWhen I check the payment module the have a special access restriction in Views called: "People with the View any payment permission and people who own the payments". That does the job.
Comment #2
nrackleff CreditAttribution: nrackleff commentedClosing this ecvandenberg since it looks like you figured a way to get the desired behavior.
Comment #3
ecvandenberg CreditAttribution: ecvandenberg commentedI don't think you should close this issue because I think this is unexpected behaviour that might lead to a security breach a site developer does not expect. So does not check. Which would be naive perhaps...
I solved it with a rule that compares the requested URL with the current user name. And if the match is false I redirect the user to a faked Access denied page.