Problem/Motivation

The UserSelection entity reference handler currently excludes blocked users only for people without the administer users permission. For many user reference fields, it would be nice to exclude them for all users, similar to how the anonymous user can be excluded.

Proposed resolution

Add the option to do this.

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
#20 interdiff-2849620-15-20.txt5.54 KBkevin.dutra
#20 entity-reference-user-selection-exclude-blocked-2849620-20.patch4.3 KBkevin.dutra
#15 entity-reference-user-selection-exclude-blocked-2849620-15.patch5.01 KBsukanya.ramakrishnan
#6 entity-reference-user-selection-exclude-blocked-2849620-5-interdiff.txt4.51 KBdpi
#6 entity-reference-user-selection-exclude-blocked-2849620-5.patch4.16 KBdpi
#2 2849620-02.patch1.74 KBjhedstrom
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jhedstrom created an issue. See original summary.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented
Status: Active » Needs review
Issue tags: +Needs tests
FileSize
2849620-02.patch1.74 KB

We'll need to update/add a test for this.

Status: Needs review » Needs work

The last submitted patch, 2: 2849620-02.patch, failed testing.

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented
Assigned: Unassigned » dpi

Looking at the patch, it is likely implemented in the reverse. The default behaviour is to exclude blocked, so the option should probably be "Include blocked".

Tackling test failures, and there is a HTML issue with the form field not closing its <em> tag.

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented
Assigned: dpi » Unassigned
Status: Needs work » Needs review
Issue tags: -Needs tests
  • Tests added.
  • Fixed HTML for checkbox.
  • Added schema for entity reference selection plugin settings
  • Inverted text to be "include blocked", since the current and default behaviour is to exclude blocked.

Interdiff with #2

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented
FileSize
entity-reference-user-selection-exclude-blocked-2849620-5.patch4.16 KB
entity-reference-user-selection-exclude-blocked-2849620-5-interdiff.txt4.51 KB
jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented 
+++ b/core/modules/user/src/Plugin/EntityReferenceSelection/UserSelection.php
@@ -91,6 +91,7 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
+      'include_blocked' => FALSE,

@@ -163,7 +171,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
-    if (!$this->currentUser->hasPermission('administer users')) {
+    if (!$this->currentUser->hasPermission('administer users') && empty($handler_settings['include_blocked'])) {

This would change the current behavior, allowing non-admin users to access blocked users if I'm understanding the logic. In the previous logic from #2, it still forced non-admin users to reference only active users. I'm fine with this either way, but it might be harder to get committed with changing behavior...

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented

Actually, it wouldn't change any existing fields...it would make fields configurable in such a way that non-admins could reference blocked users, which is also the attempt of #2756179: Separate ability to reference blocked users from 'administer users' permission., so we could perhaps consolidate issues.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented

Arg, this is confusing :) The patch in #7 will still always should blocked users for admins, yes? The initial intent was to allow fields to be configured such that even admins cannot reference blocked accounts...

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented

The initial intent was to allow fields to be configured such that even admins cannot reference blocked accounts...

Reading your patch, it seemed you wanted to retain the existing behaviour somewhat, because the >hasPermission('administer users') snippet was still present.

even admins cannot reference blocked

If this patch is a binary yes/no you can/t reference blocked users then this would be a behaviour change.

The current behaviour could be retained by having the radio preference:

  • Allow users with administer users to reference blocked users. (default)
  • Allow anyone to reference blocked users.
  • Reference blocked users is prohibited.
dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented

This issue is confusing

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented

I see the intent of the original patch was to make it so blocked users would always be excluded, regardless of permission. But then this does not cover situations where you want non-admin to reference blocked.

dpi’s picture

dpi
Location Perth, Australia
CreditAttribution: dpi as a volunteer commented

admin = user with `administer permissions`

All these multiple binary/negating conditions are confusing, these are the options I see are available.

Option A

Proposed by this issue.

  • UI: options are (boolean, checkbox, 2-states)
    • FALSE: Admin can reference blocked users (default)
    • TRUE: Admin cannot reference blocked users.
  • Effect:
    • admin can sometimes reference blocked users
    • non-admin can never reference blocked users

Option B

  • UI: options are (radio, 3-states)
    • 0: Only admin can reference blocked (default)
    • -1: Nobody can reference blocked
    • 1: Anybody can reference blocked
  • Effect:
    • Sometimes no-one can reference blocked users.
    • Sometimes only admins can reference blocked users.
    • Sometimes everyone can reference blocked users.

Option C

Proposed by #6

  • UI: options are (boolean, checkbox, 2-states)
    • FALSE: Non-admin cannot reference blocked users (default)
    • TRUE: Non-admin can reference blocked users
  • Effect:
    • Admin can always view blocked users.
    • Non-admin can sometimes reference blocked users.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

sukanya.ramakrishnan’s picture

sukanya.ramakrishnan CreditAttribution: sukanya.ramakrishnan at Workday, Inc. commented
FileSize
entity-reference-user-selection-exclude-blocked-2849620-15.patch5.01 KB

Submitting a patch based on option A as proposed by this issue.

Patch did not apply so cudnt get an interdiff

1. Test path has changed, so made changes in the new file. Added one more assertion based on the use cases.
2. Ported patch to 8.5.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented

I think the options where we expose access to blocked users to non-admins is unnecessary, and would be a big change since non-admins cannot see those users anyway (it's the user equivalent of unpublished content), so would still prefer the original option of just making it configurable to remove the blocked users from the autocomplete for admins.

kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Status: Needs review » Needs work

Hmm, I think the included test is giving a false positive (i.e. it's not actually testing what it needs to) because $handler_settings was refactored to $configuration at some point and so this patch no longer works the way it's supposed to.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Assigned: Unassigned » kevin.dutra
kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Assigned: kevin.dutra » Unassigned
Status: Needs work » Needs review
FileSize
entity-reference-user-selection-exclude-blocked-2849620-20.patch4.3 KB
interdiff-2849620-15-20.txt5.54 KB

I've made a number of modifications to the last patch:

  1. Rerolled to work with 8.6
  2. Removed redundant test cases.
  3. Fixed new test case, which was not hitting any assertions due to missing arguments in $referenceable_tests.
  4. Added #states to the "Include anonymous" field to make it clear that if you exclude blocked users, you won't get the anonymous user either.
  5. Changed default setting for include_blocked to TRUE, as that is how it functions prior to this feature and we don't want unexpected behavior to be introduced.
  6. For a slight performance improvement, the include_blocked check is now performed before checking for the administer users permission, which is more expensive.

Status: Needs review » Needs work

The last submitted patch, 20: entity-reference-user-selection-exclude-blocked-2849620-20.patch, failed testing. View results

kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Status: Needs work » Needs review

Looks like some random testbot issue caused those failures, so retry.

idebr’s picture

idebr CreditAttribution: idebr at iO commented
Status: Needs review » Needs work

The referenced users are validated in \Drupal\user\Plugin\EntityReferenceSelection\UserSelection::validateReferenceableNewEntities(). This method still validates the user is active based on the permission 'administer users':

if (!$this->currentUser->hasPermission('administer users')) {
  $entities = array_filter($entities, function ($user) {
    /** @var \Drupal\user\UserInterface $user */
    return $user->isActive();
  });
}

This means this patch needs at least two changes:

  1. The validation method \Drupal\user\Plugin\EntityReferenceSelection\UserSelection::validateReferenceableNewEntities() needs to be updated to allow for the configuration option 'include blocked'.
  2. The test coverage needs to be extended so it actually saves a reference to a blocked user through a form, so it passes all the relevant form validations.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
CreditAttribution: dalin at Advomatic for Stanford University commented

This is also related to #2836245: Unable to reference blocked user on node save in that users that don't have the "Administer users" permission are unable to submit the edit form for nodes created by a now blocked user. Editing a node should not require you to alter the history about who created it.

IMO user reference fields should default to allowing all users, unless overridden with the configuration in the attached patch.

dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
CreditAttribution: dalin at Advomatic for Stanford University commented
Related issues: +#2836245: Unable to reference blocked user on node save
dalin’s picture

dalin
he/him
Primary language English
Location 🇲🇽, 🇨🇦, 🌍
CreditAttribution: dalin at Advomatic for Stanford University commented
Related issues: -#2836245: Unable to reference blocked user on node save

Disregard #25. It looks like that particular bug is fixed in #2791269: Allow saving pre-existing references to inaccessible items

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.