This might even be critical as it breaks a major part of aegir...

Views checks node access for nodes added via relations as well, so if a user does not have access to related nodes, the site will not show on the sites overview (the same happens with the platforms overview).

For instance for the sites list, I've figured out the user needs the 'view servers' and the 'administer platforms' permissions. For the Platforms list I did not yet find the right combination of permissions required.
This however is not a solution, as it would expose clients to more data than desirable.

This patch might be helpful #1349080-332: node_access filters out accessible nodes when node is left joined, but then we'd have to await the backport for D7.

This might be a result of SA-CONTRIB-2016-046

Comments

Neograph734 created an issue. See original summary.

Neograph734’s picture

Issue summary: View changes
Neograph734’s picture

Issue summary: View changes
Neograph734’s picture

Issue summary: View changes
helmo’s picture

The patch from #1349080-332: node_access filters out accessible nodes when node is left joined looks definitely helpful here. We could add it to our makefile if needed.
With that patch I had no need to give a client user the 'view server' or 'administer platform' permissions to see the sites list.

The platforms list however I have also not found the right permissions to grant a client limited access.

kienan’s picture

I didn't look back in the issue queue before creating a new issue, but #2883695 should address this

helmo’s picture