Problem/Motivation
Only users with administer users permission can reference blocked users in components that make use of entity reference selection plugins (with "default" group), such as entity reference field.
Proposed resolution
?
Remaining tasks
-
User interface changes
-
API changes
-
Data model changes
-
Original report by erlendoos
As a user without "administer users" permission I am only able to reference enabled users.
I have a use case where I reference users to content, but most of this users make sense for the content while it is unwanted for them to be able to login. I use the user entity to store properties and maybe in the future this entity might get a password.
How about to make this an option similar to "include the anonymous users" and remove the "administer users" requirement. New option name suggestion "Include disabled users".
Comment | File | Size | Author |
---|---|---|---|
#31 | reference-blocked-users-2756179-31.patch | 1.46 KB | binnythomas |
#30 | reference-blocked-users-2756179-30.patch | 1.46 KB | binnythomas |
#27 | reference-blocked-users-2756179.patch | 1.41 KB | mdranove |
Comments
Comment #3
guldi CreditAttribution: guldi at Namics commented+1 on 8.1.7
Comment #4
swentel CreditAttribution: swentel at eps & kaas for MuseScore commentedComment #5
jibranMoving to right component
Comment #6
BerdirCan you provide the exact steps to reproduce and when/how it "fails"?
According to \Drupal\user\Plugin\EntityReferenceSelection\UserSelection::buildEntityQuery(), disabled users are only excluded for non-admins. And \Drupal\user\UserAccessControlHandler::checkAccess() also allows unlimited access with that permission except for the anon user.
Also moving to user.module, as the bug has to be somewhere there I think.
Comment #7
erlendoos CreditAttribution: erlendoos as a volunteer commentedI was able to reference any user, until I used a role that was not able to MANAGE user accounts. The connection between referencing and managing users surprised me. A role that connects users to content and a role that manages users can exist in the same system. A disabled user can be very handy at times where you want to keep profiles for people that you don't (not yet) want to have logins for. Being enabled or not has not so much to do with being available to be referenced or only being able to be referenced by someone that is able to enable the user. There is not always a logical connection between the two actions.
Comment #8
dpiIts not really a bug since we explicitly require a user to have 'administer users' permission in order to reference blocked users. So I'm inverting this issue to a feature request.
\Drupal\user\Plugin\EntityReferenceSelection\UserSelection
:Despite the above comment, I don't necessarily approve this feature request.
Comment #9
jibranSeparate permission does make sense in this context because the ability to reference the blocked users does not look like an admin task but then the 'reference blocked users' permission is a very user selection plugin specific. There is a way around that, we can always user hook_query_TAG_alter with EFQ. IMO this is a won't fix.
Comment #11
jhedstromWhile not quite the same as this request, I've added #2849620: Add filter option to UserSelection to exclude blocked users.
Comment #13
letrotteur CreditAttribution: letrotteur commentedI've encountered this issue on a project recently. A bunch of users were created for editors to create a whole bunch of content (nodes). Then they left and their user accounts were blocked. Now, when a non-admin wants to edit those nodes, they can't and are prompted with a error message:
and the authored by field is outline in red in the node.
Step to reproduce:
Comment #15
specky_rum CreditAttribution: specky_rum commentedAnother place where I believe this same issue is coming up... A client has users listed in a directory but some of those users aren't actually able to access the site and to achieve that we blocked their accounts. The knock on effect however is that anyone without administer users (most users) can now no longer see those users when performing a user search.
Unless I'm missing something this would seem to be a bug. If I block a user I'm only saying that user can no longer login, I'm not saying anything about whether or not they can be viewed by other users? Or have I missed something? It certainly doesn't say anything else on the edit user form where you set their status.
Comment #17
sleitner CreditAttribution: sleitner commentedI had the same problem as @letrotteur. +1
Comment #23
timohuismanI have also the same problem as @letrotteur. We're facing this problem on multiple sites.
Comment #26
mdranove CreditAttribution: mdranove commentedExperiencing same issue. Workaround on our site is to delete the blocked user from the entity reference field. This is not ideal for business reasons.
Comment #27
mdranove CreditAttribution: mdranove commentedCreated a simple patch to add a "reference users" permission to replace the "administer users" conditional logic in
/user/Plugin/EntityReferenceSelection/UserSelection.php
Before:
After:
Comment #29
binnythomas CreditAttribution: binnythomas at Salsa Digital for Drupal India Association commentedPatch #27 works for me.
Comment #30
binnythomas CreditAttribution: binnythomas at Salsa Digital for Drupal India Association commentedUpdating the patch @ #27 to include administer users permission as well.
Comment #31
binnythomas CreditAttribution: binnythomas at Salsa Digital for Drupal India Association commentedThe previous patch has a typo. Uploading new patch.
Comment #32
sleitner CreditAttribution: sleitner commentedComment #34
sleitner CreditAttribution: sleitner commentedI tested this again, but there is no error anymore. Should we close it as outdated?
Comment #35
Akhil BabuThe "This entity (user: id) cannot be referenced." error described in #13 is no longer reproducible in Drupal 11(11.0-dev). However, the original issue ('Users without 'administer users' permission not able to reference blocked users in entity autocomplete form') is still reproducible. That issue is being discussed in #2849620: Add filter option to UserSelection to exclude blocked users, so I am closing this issue as a duplicate.
Comment #36
Akhil Babu