Views relations prevent sites and platforms from listing data for clients [#2821425]

This might even be critical as it breaks a major part of aegir...

Views checks node access for nodes added via relations as well, so if a user does not have access to related nodes, the site will not show on the sites overview (the same happens with the platforms overview).

For instance for the sites list, I've figured out the user needs the 'view servers' and the 'administer platforms' permissions. For the Platforms list I did not yet find the right combination of permissions required.
This however is not a solution, as it would expose clients to more data than desirable.

This patch might be helpful #1349080-332: node_access filters out accessible nodes when node is left joined, but then we'd have to await the backport for D7.

This might be a result of SA-CONTRIB-2016-046

Comments

Comment #1

22 October 2016 at 23:57

Neograph734 created an issue. See original summary.

Comment #2

Neograph734

he/him

Netherlands

CreditAttribution: Neograph734 commented 22 October 2016 at 23:59

Issue summary:

View changes

Comment #3

Neograph734

he/him

Netherlands

CreditAttribution: Neograph734 commented 23 October 2016 at 14:42

Issue summary:

View changes

Comment #4

Neograph734

he/him

Netherlands

CreditAttribution: Neograph734 commented 4 November 2016 at 15:53

Issue summary:

View changes

Comment #5

helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented 10 November 2016 at 12:28

The patch from #1349080-332: node_access filters out accessible nodes when node is left joined looks definitely helpful here. We could add it to our makefile if needed.
With that patch I had no need to give a client user the 'view server' or 'administer platform' permissions to see the sites list.

The platforms list however I have also not found the right permissions to grant a client limited access.