Closed (fixed)
Project:
Drupal core
Version:
8.4.x-dev
Component:
entity_reference.module
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
28 Aug 2016 at 19:11 UTC
Updated:
21 Apr 2022 at 15:09 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
spotzero commentedThere are good reasons why saving a form with an entity reference to an entity that the current user doesn't have access to is not allowed, so I'd recommend against making this the default behaviour.
I think a reasonable implementation would be to add a specific permission to grant access to doing this, since you are giving the user an elevated access. Also, if we explicitly add a permission for this, it means that we can leave the referenced entity visible for the user (with the current "restricted access" text) and just alter the permissions check to allow the form submission.
Comment #3
drummI clarified the possible solution in the issue summary, emphasized words added.
By default, Drupal doesn’t protect against content enumeration. You can get the IDs of all the inaccessible content by crawling node/{nid} and looking for 404 vs. 403. So exposing this in the field isn’t really a security issue. Presumably the user has some trust since they are editing content. That said, we shouldn't open up more than needed, so letting only unchanged references through makes sense.
Comment #4
spotzero commentedAh, that's completely reasonable. Disregard my previous comment.
Comment #5
amateescu commentedWe've hit this problem in Entityqueue 7.x as well and we had to create a workaround for it: #2383903: Cannot save queues with entities user doesn't have access to
I would argue that this is actually a bug in Entity reference, which shouldn't try to validate pre-existing items. Here's a patch with a test.
Comment #8
amateescu commentedSome tests don't bother to create the parent entity object but that's easy to fix, we just need an additional check.
Comment #9
marcvangendThis is related to #2807437: Anonymous user cannot upload private file, although that issue is not about existing references, but a valid (IMHO) use case for selectively allowing new references to inaccessible entities.
Comment #11
peacog commentedNeeds a re-roll because of the change to short array syntax in core #2776975: March 3, 2017: Convert core to array syntax coding standards for Drupal 8.3.x RC phase. Here's a new patch and a diff.
Interdiff doesn't seem to be able to cope with comparing the old with the new array syntax, so I've had to make do with a simple diff.
Comment #12
drummLooks okay.
Maybe we could use a test to make sure the inaccessible referenced entity remains referenced after save?
Comment #13
amateescu commentedSure thing, that's a good idea :)
Comment #15
berdirWondering if we should make this specific to entities that exist but you as a user don't have access to?
Not quite sure how, to be honest, but this logic I think would also pass validation for use cases such as:
* No longer allowed based on the configuration, e.g. wrong bundle
* entity that was deleted (not quite sure what the current behavior there is)
Comment #16
amateescu commented@Berdir, you are totally right!
I wrote new test cases for both of those scenarios, reference no longer allowed based on the configuration and entity that was deleted, and the test-only patch is the code from #13 with that additional test coverage.
Comment #18
berdirNot sure how view vs view label operations apply here exactly. We currently use query tag based access for those entities, where we so far never talked about how that works combined with view label. Just wondering if there's possibly a weird/special case here, what happens when you have a user reference field and you don't have permission to view user profiles? Is there a case where that could result in the wrong result?
Comment #19
amateescu commentedWell, we have to keep in mind that all this is about letting the user save *pre-existing* inaccessible references, so I chose the 'view' operation especially because its scope is broader than 'view label'.
The expectation is that you are allowed to save a pre-existing reference to a user when you don't have access to view user profiles.
Edit: fixed typo.
Comment #20
berdirFair enough, lets do this, I think this is well tested.
Comment #21
catchs/ca/can.
Comment #22
catchFixed that on commit. Committed/pushed to 8.5.x and cherry-picked to 8.4.x. Thanks!
Comment #26
nghai commentedDear @Berdir, Dear @amateescu
caught some issues related to the current solution for the requirement "Allow saving pre-existing references to inaccessible items"
have opened and reported the whole scenario in this ticket https://www.drupal.org/project/drupal/issues/2973863?
Could you please review once ?
Thanks
Comment #27
tim.plunkettSee also #3008943: Clean up todo in InlineBlockEntityOperations::handleEntityDelete(), introduced by this issue.
Comment #28
duneblThis patch doesn't solve the following case:
1-Create a user reference field ALLOWING ONLY users with a given role
2-Add a user (having the requested role) to this field and save the node
3-block the user
4-As a non admin, edit the node and try to save it. It will be impossible (error: this entity (user:xxx) can not be referenced)