Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I am using D7.43, og 7.x-2.8 and view 7.x-3.13 (most current versions as of the writing of this). I have a group content type that has an entity reference to a second group content type, which is not required by the first. I have written a view that is supposed to show the titles for each of these two content types. For sample data, I have created two records of the first content type. The first one has a value for the entity reference, and the second does not. In the view, for the entity reference field, I included a “none found” text for the “No Results”. While logged in as the admin, I can see both rows when previewing the view results, or viewing the view page. When logged in as anyone else in the group, I only see the row where the entity reference value has been supplied.
I've granted admin rights to my authenticated users to see the Views UI (so that I could see the query that gets generated). The one conspicuous addition is the EXISTS clause in the WHERE of the query. The reason the second row (where the entity reference is left blank, or there is no record added to the field value table) is excluded is that there is no field value to check against in the node_field_data_field_type2 table. The original EXISTS reads as follows (please forgive my messing with the parentheses, I did this so that I could read the query more easily):
( EXISTS (SELECT na.nid AS nid
FROM node_access na
WHERE ( ( na.gid = '0' AND na.realm = 'all' ) OR ( na.gid = '7' AND na.realm = 'og_access:node' ) )
AND na.grant_view >= '1'
AND node_field_data_field_type2_value.nid = na.nid ) )
I believe that this requires an addition of an IFNULL to check if there is no row defined for the entity reference field:
( EXISTS (SELECT na.nid AS nid
FROM node_access na
WHERE ( ( na.gid = '0' AND na.realm = 'all' ) OR ( na.gid = '7' AND na.realm = 'og_access:node' ) )
AND na.grant_view >= '1'
AND node_field_data_field_type2_value.nid = na.nid )
OR IFNULL(node_field_data_field_type2_value.nid, 1) )
As I reflect on this a bit more, it puzzles me why this query is checking what appears to be field level access. I do not have the og field access module enabled. Maybe the addition of this EXISTS is misplaced in the og module structure.
I do have a working sample site that is limited to just these pieces if you'd like me to upload it for you to trace this more easily (for me it took about 2 hours to isolate this from the site that I've been working on and separately define it).
I did find https://www.drupal.org/node/2339953, which seems quite similar (but no suggestion to fix it was given). This reference at least reminded me of a simple way to sidestep the problem, namely to “Disable SQL Rewriting”. Of course, what that is doing is to bypass the inclusion of the EXISTS statements which would have other security ramifications. However, sidestepping does not seem to me to be better than actually fixing the issue.
Comments
Comment #2
RoloDMonkey CreditAttribution: RoloDMonkey for Yale University commentedThis appears to be a duplicate of #1895082: OG_access not allowing entity reference fields to show..., which in turn is a duplicate of #1349080: node_access filters out accessible nodes when node is left joined.