Problem/Motivation

Only users with administer users permission can reference blocked users in components that make use of entity reference selection plugins (with "default" group), such as entity reference field.

Proposed resolution

?

Remaining tasks

-

User interface changes

-

API changes

-

Data model changes

-

Original report by erlendoos

As a user without "administer users" permission I am only able to reference enabled users.

I have a use case where I reference users to content, but most of this users make sense for the content while it is unwanted for them to be able to login. I use the user entity to store properties and maybe in the future this entity might get a password.

How about to make this an option similar to "include the anonymous users" and remove the "administer users" requirement. New option name suggestion "Include disabled users".

CommentFileSizeAuthor
#31 reference-blocked-users-2756179-31.patch1.46 KBbinnythomas
#30 reference-blocked-users-2756179-30.patch1.46 KBbinnythomas
#27 reference-blocked-users-2756179.patch1.41 KBmdranove
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

erlendoos created an issue. See original summary.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

guldi’s picture

guldi CreditAttribution: guldi at Namics commented

+1 on 8.1.7

swentel’s picture

swentel CreditAttribution: swentel at eps & kaas for MuseScore commented
Component: field system » entity_reference.module
jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran commented
Component: entity_reference.module » entity system
Issue tags: -entity reference field

Moving to right component

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Component: entity system » user system

Can you provide the exact steps to reproduce and when/how it "fails"?

According to \Drupal\user\Plugin\EntityReferenceSelection\UserSelection::buildEntityQuery(), disabled users are only excluded for non-admins. And \Drupal\user\UserAccessControlHandler::checkAccess() also allows unlimited access with that permission except for the anon user.

Also moving to user.module, as the bug has to be somewhere there I think.

erlendoos’s picture

erlendoos CreditAttribution: erlendoos as a volunteer commented

I was able to reference any user, until I used a role that was not able to MANAGE user accounts. The connection between referencing and managing users surprised me. A role that connects users to content and a role that manages users can exist in the same system. A disabled user can be very handy at times where you want to keep profiles for people that you don't (not yet) want to have logins for. Being enabled or not has not so much to do with being available to be referenced or only being able to be referenced by someone that is able to enable the user. There is not always a logical connection between the two actions.

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented
Title: Unable to reference disabled users » Seperate ability to reference blocked users from 'administer users' permission.
Category: Bug report » Feature request
Issue summary: View changes
Related issues: +#2329979: Allow blocked users in an entity reference field

Its not really a bug since we explicitly require a user to have 'administer users' permission in order to reference blocked users. So I'm inverting this issue to a feature request.

\Drupal\user\Plugin\EntityReferenceSelection\UserSelection:

if (!$this->currentUser->hasPermission('administer users')) {
  $query->condition('status', 1);
}

Despite the above comment, I don't necessarily approve this feature request.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran commented
Title: Seperate ability to reference blocked users from 'administer users' permission. » Separate ability to reference blocked users from 'administer users' permission.

Separate permission does make sense in this context because the ability to reference the blocked users does not look like an admin task but then the 'reference blocked users' permission is a very user selection plugin specific. There is a way around that, we can always user hook_query_TAG_alter with EFQ. IMO this is a won't fix.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented

While not quite the same as this request, I've added #2849620: Add filter option to UserSelection to exclude blocked users.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

letrotteur’s picture

letrotteur CreditAttribution: letrotteur commented

I've encountered this issue on a project recently. A bunch of users were created for editors to create a whole bunch of content (nodes). Then they left and their user accounts were blocked. Now, when a non-admin wants to edit those nodes, they can't and are prompted with a error message:

This entity (user: id) cannot be referenced.

and the authored by field is outline in red in the node.

Step to reproduce:

  1. Create a user with non-admin role
  2. Create nodes with that user
  3. Block the user
  4. A second user (who is non-admin) edits the node and tries to save it.
  5. The second user gets a “This entity (user:id) cannot be referenced” error, where the id corresponds to the blocked user that created the node.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

specky_rum’s picture

specky_rum CreditAttribution: specky_rum commented

Another place where I believe this same issue is coming up... A client has users listed in a directory but some of those users aren't actually able to access the site and to achieve that we blocked their accounts. The knock on effect however is that anyone without administer users (most users) can now no longer see those users when performing a user search.

Unless I'm missing something this would seem to be a bug. If I block a user I'm only saying that user can no longer login, I'm not saying anything about whether or not they can be viewed by other users? Or have I missed something? It certainly doesn't say anything else on the edit user form where you set their status.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

sleitner’s picture

sleitner CreditAttribution: sleitner commented

I had the same problem as @letrotteur. +1

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

timohuisman’s picture

timohuisman
Primary language Dutch
Location Leiden, Netherlands
CreditAttribution: timohuisman at SWIS commented

I have also the same problem as @letrotteur. We're facing this problem on multiple sites.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

mdranove’s picture

mdranove CreditAttribution: mdranove commented

Experiencing same issue. Workaround on our site is to delete the blocked user from the entity reference field. This is not ideal for business reasons.

mdranove’s picture

mdranove CreditAttribution: mdranove commented
FileSize
reference-blocked-users-2756179.patch1.41 KB

Created a simple patch to add a "reference users" permission to replace the "administer users" conditional logic in

/user/Plugin/EntityReferenceSelection/UserSelection.php

Before:

 if (!$this->currentUser->hasPermission('administer users')) {
       $query->condition('status', 1);
     }

After:

if (!$this->currentUser->hasPermission('reference users')) {
       $query->condition('status', 1);
     }

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

binnythomas’s picture

binnythomas CreditAttribution: binnythomas at Salsa Digital for Drupal India Association commented

Patch #27 works for me.

binnythomas’s picture

binnythomas CreditAttribution: binnythomas at Salsa Digital for Drupal India Association commented
FileSize
reference-blocked-users-2756179-30.patch1.46 KB

Updating the patch @ #27 to include administer users permission as well.

binnythomas’s picture

binnythomas CreditAttribution: binnythomas at Salsa Digital for Drupal India Association commented
Version: 10.1.x-dev » 9.4.x-dev
FileSize
reference-blocked-users-2756179-31.patch1.46 KB

The previous patch has a typo. Uploading new patch.

sleitner’s picture

sleitner CreditAttribution: sleitner commented
Version: 9.4.x-dev » 10.1.x-dev
Status: Active » Needs work
Issue tags: +Needs tests

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

sleitner’s picture

sleitner CreditAttribution: sleitner commented

I tested this again, but there is no error anymore. Should we close it as outdated?

Akhil Babu’s picture

Akhil Babu
he/him
CreditAttribution: Akhil Babu at QED42 commented
Status: Needs work » Closed (duplicate)

The "This entity (user: id) cannot be referenced." error described in #13 is no longer reproducible in Drupal 11(11.0-dev). However, the original issue ('Users without 'administer users' permission not able to reference blocked users in entity autocomplete form') is still reproducible. That issue is being discussed in #2849620: Add filter option to UserSelection to exclude blocked users, so I am closing this issue as a duplicate.

Akhil Babu’s picture

Akhil Babu
he/him
CreditAttribution: Akhil Babu at QED42 commented
Related issues: +#2849620: Add filter option to UserSelection to exclude blocked users