After update to version 1.6 the guests are not able to list contents from any profile. All logged in user are able to list, but not guests.
The list to be viewed, is set by Views, who pick some of the fields. All the permission for the fields is (correctly) set by Field_permission_module.
The permission set by Views is "Role" and for the list is "Guests" and "loged in users" marked. ONLY loged in user can see list, for guest the list is still there but empty/blank/white lines.
'I I download version 1.5 again and the problem is gone, so it is fully related to versions update 7.x._1.6.
(I took me a while to find to where the problem was related, because of other updates, i e views)
The Core running with this problem is 7.64 (will try on 7.65 later this week)
Hope my description is enough to find out WHY?
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | profile2-field_access-3043359-5.patch | 2.48 KB | rickj |
Comments
Comment #2
rickj commentedThere is a change to access checks since v1.5, see this issue: #2981818: Profiles visible to user roles to which they do not apply.
In the system permissions list, do you have "View any profile" enabled for anonymous users for the profile(s) in question? This was not properly checked in v1.5, but is in 1.6, so could have triggered the problem.
Comment #3
göran commentedFirst of all, thank you for the quick answer. I really like the Profile2 module, it's great.
"View any profile" is NOT set for either "guests" or "logeed in users".
It is just set for tree Roles, of 17 roles totally. But all roles who is "logged in user" can see the list, from all kinds of roles (as they should be able to do by the settings for the fields in the Field_permission-module - who allows "guest" + "logged in users" to view the fields involved)
This point out two problems/question about this issue.
1. Field permission module - gives "guests" and "logged in users" permission to see/view the fields involved in the Views list. That should overcome the profile2 permission involved. There after give VIEWS-setting permission for these two kind of roles - to see/view the list.
2. and IF the "Logged in users" permission bye "View any profile" in Profile2 permission is off (not set to "on") - NONE of the roles should be able to see the list - IF profile2 permission prevents it, AND overcome the field-permission-modules settings - as I think it should not.
As I see it - fields permission module allow fields to be viewed to the roles involved and that should overcome the Profile2 setting for "View any profile" for the fields.
Please advice
One point is GDPR-regulation in Europe. All fields with personal- related information, is not Allowed for Guest - Without an active permission from each person involved. By that it is necessary to be able to prevent fields with personal information to be viewed to guests.
Comment #4
rickj commentedOK, I think this is starting to make sense. The change to permissions in v1.6 was to ensure that applicability of profile to role takes precedence. I.e if a profile type does not apply to a role, then a profile of that type is never visible for an account with that role. This is an essential constraint.
But it looks like that logic went too far, and causes profile-level access to override field-level access. It seems it should be the other way round - field access should take priority over entity (profile) access.
Is that correct? If so I should be able to sort out a patch.
Comment #5
göran commentedYes - fully correct! I am happy to agree :D
Comment #6
rickj commentedHere's a patch that implements #4, Let me know if this resolves the issue.
Thanks.
Comment #7
rickj commentedComment #8
göran commentedPatch tested - Works fine, the list is back and everything seams to work.
Great!
And thank's - this solution came up very fast!
Comment #9
rickj commentedThat's a wrap then!
Thanks for the detailed problem analysis, made the fix easy. I'm committing to the dev build, there's a few more loose ends before we get to v1.7.
Comment #11
rickj commentedFixed, and change of title.