Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The UserSelection
entity reference handler currently excludes blocked users only for people without the administer users permission. For many user reference fields, it would be nice to exclude them for all users, similar to how the anonymous user can be excluded.
Proposed resolution
Add the option to do this.
Comments
Comment #2
jhedstromWe'll need to update/add a test for this.
Comment #4
dpiLooking at the patch, it is likely implemented in the reverse. The default behaviour is to exclude blocked, so the option should probably be "Include blocked".
Tackling test failures, and there is a HTML issue with the form field not closing its
<em>
tag.Comment #5
dpiInterdiff with #2
Comment #6
dpiComment #7
jhedstromThis would change the current behavior, allowing non-admin users to access blocked users if I'm understanding the logic. In the previous logic from #2, it still forced non-admin users to reference only active users. I'm fine with this either way, but it might be harder to get committed with changing behavior...
Comment #8
jhedstromActually, it wouldn't change any existing fields...it would make fields configurable in such a way that non-admins could reference blocked users, which is also the attempt of #2756179: Separate ability to reference blocked users from 'administer users' permission., so we could perhaps consolidate issues.
Comment #9
jhedstromArg, this is confusing :) The patch in #7 will still always should blocked users for admins, yes? The initial intent was to allow fields to be configured such that even admins cannot reference blocked accounts...
Comment #10
dpiReading your patch, it seemed you wanted to retain the existing behaviour somewhat, because the
>hasPermission('administer users')
snippet was still present.If this patch is a binary yes/no you can/t reference blocked users then this would be a behaviour change.
The current behaviour could be retained by having the radio preference:
Comment #11
dpiThis issue is confusing
Comment #12
dpiI see the intent of the original patch was to make it so blocked users would always be excluded, regardless of permission. But then this does not cover situations where you want non-admin to reference blocked.
Comment #13
dpiadmin = user with `administer permissions`
All these multiple binary/negating conditions are confusing, these are the options I see are available.
Option A
Proposed by this issue.
Option B
Option C
Proposed by #6
Comment #15
sukanya.ramakrishnan CreditAttribution: sukanya.ramakrishnan at Workday, Inc. commentedSubmitting a patch based on option A as proposed by this issue.
Patch did not apply so cudnt get an interdiff
1. Test path has changed, so made changes in the new file. Added one more assertion based on the use cases.
2. Ported patch to 8.5.
Comment #16
jhedstromI think the options where we expose access to blocked users to non-admins is unnecessary, and would be a big change since non-admins cannot see those users anyway (it's the user equivalent of unpublished content), so would still prefer the original option of just making it configurable to remove the blocked users from the autocomplete for admins.
Comment #17
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedHmm, I think the included test is giving a false positive (i.e. it's not actually testing what it needs to) because
$handler_settings
was refactored to$configuration
at some point and so this patch no longer works the way it's supposed to.Comment #19
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedComment #20
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedI've made a number of modifications to the last patch:
$referenceable_tests
.#states
to the "Include anonymous" field to make it clear that if you exclude blocked users, you won't get the anonymous user either.include_blocked
toTRUE
, as that is how it functions prior to this feature and we don't want unexpected behavior to be introduced.include_blocked
check is now performed before checking for theadminister users permission
, which is more expensive.Comment #22
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedLooks like some random testbot issue caused those failures, so retry.
Comment #23
idebr CreditAttribution: idebr at iO commentedThe referenced users are validated in \Drupal\user\Plugin\EntityReferenceSelection\UserSelection::validateReferenceableNewEntities(). This method still validates the user is active based on the permission 'administer users':
This means this patch needs at least two changes:
Comment #25
dalinThis is also related to #2836245: Unable to reference blocked user on node save in that users that don't have the "Administer users" permission are unable to submit the edit form for nodes created by a now blocked user. Editing a node should not require you to alter the history about who created it.
IMO user reference fields should default to allowing all users, unless overridden with the configuration in the attached patch.
Comment #26
dalinComment #27
dalinDisregard #25. It looks like that particular bug is fixed in #2791269: Allow saving pre-existing references to inaccessible items