Steps to reproduce:
- create an entity reference field referencing a block on article
- create a block and set any condition (e.g. only visible on admin pages)
- create an article and reference this block and save
- go back to edit screen.

You'll see something like '- Restricted access - (block_id)' in the textfield.

Tricky one to fix right I suppose, maybe other (config) entities might have the same problem.
The quick fix I did for now was overriding the block access handler and adding following lines in the accessCheck method

    // On queues, everything is fine for block contents.
    $path = \Drupal::request()->getPathInfo();
    $parts = explode('/', $path);
    $settings = $entity->get('settings');
    if ($operation == 'view' && isset($parts[3]) && $parts[3] == 'entityqueue' && $settings['provider'] == 'block_content') {
      return AccessResult::allowed();
    }

Note, custom project, so this works fine for me now, not sure what the proper solution would be here.

CommentFileSizeAuthor
#8 interdiff.txt1.08 KBamateescu
#8 2634158-8.patch3.88 KBamateescu
#5 2634158-5.patch2.8 KBswentel
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

swentel created an issue. See original summary.

amateescu’s picture

amateescu CreditAttribution: amateescu commented
Status: Active » Closed (cannot reproduce)

Both myself and @swentel can not reproduce this with core alone, so it must be a site-specific problem.

swentel’s picture

swentel CreditAttribution: swentel commented
Project: Entityqueue » Drupal core
Version: 8.x-1.x-dev » 8.0.x-dev
Component: Code » entity_reference.module
Issue summary: View changes
Status: Closed (cannot reproduce) » Active

Could actually produce this now, it's a core problem.

swentel’s picture

swentel CreditAttribution: swentel commented
Title: Referencing a block leads to 'Unrestricted access' for label » Referencing a block that has conditions leads to 'Unrestricted access' for label
swentel’s picture

swentel CreditAttribution: swentel commented
Status: Active » Needs review
FileSize
2634158-5.patch2.8 KB

Test that demonstrates the bug.
(note been a bit lazy and went for standard profile for now)

Status: Needs review » Needs work

The last submitted patch, 5: 2634158-5.patch, failed testing.

amateescu’s picture

amateescu CreditAttribution: amateescu for Pfizer, Inc. commented
Status: Needs work » Postponed

This will be easy to fix once #2471154: Anonymous user label can't be viewed and auth user labels are only accessible with 'access user profiles' permission is done.

amateescu’s picture

amateescu CreditAttribution: amateescu for Pfizer, Inc. commented
Version: 8.0.x-dev » 8.1.x-dev
Status: Postponed » Needs review
FileSize
2634158-8.patch3.88 KB
interdiff.txt1.08 KB

That patch was committed to 8.1.x and 8.2.x, so we can fix this now for those two branches.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

Just wondering what you're doing with those kind of references.

We have an existing issue that shows that such a reference doesn't really make sense since you wouldn't be able to reliably show those blocks anyway (they are theme specific, might have any kind of visibility restruction and so on).

And that the better approach to reference "blocks" would be to reference to block plugins with inline configuration, based on Xano's plugin project for example.

+++ b/core/modules/block/src/BlockAccessControlHandler.php
@@ -94,6 +101,11 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
+    // Grant access to the block label at all times.
+    if ($operation === 'view label') {
+      return AccessResult::allowed();
+    }

Are we really sure about that? we're talking about admin labels.

amateescu’s picture

amateescu CreditAttribution: amateescu for Pfizer, Inc. commented

Are we really sure about that? we're talking about admin labels.

Ouch, that's right. Should we check the 'administer blocks' permission instead?

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

Maybe? I'm not really sure what entity reference does with such an all-or-nothing reference case, what happens exactly if you don't have that permission? you shouldn't be able to see them in the first place? We unfortunately don't have a list operation, if we'd have that, we could deny access to such a field completely.

amateescu’s picture

amateescu CreditAttribution: amateescu for Pfizer, Inc. commented

Then let's wait for @swentel to expand on his use case a bit, since I'm pretty sure he's aware of the shortcomings of referencing block entities.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran commented
Component: entity_reference.module » entity system

Moving to right component

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Assigned: Unassigned » swentel
Status: Needs review » Postponed (maintainer needs more info)

Per #12

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

pameeela’s picture

pameeela CreditAttribution: pameeela commented

@swentel, as part of the Bug Smash Initiative, we are triaging issues that are marked "Postponed (maintainer needs more info)".

There haven't been any updates on this since it was postponed in 2016 - do you think it can be closed now?

swentel’s picture

swentel CreditAttribution: swentel commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

@pameela it's been ages since I encountered this and I don't really remember the use case anymore, so I'm totally fine with closing it :)

pameeela’s picture

pameeela CreditAttribution: pameeela commented
Issue tags: +Bug Smash Initiative