Problem/Motivation

With Drupal 7, it was possible to define in Views a page with several displays, having all the same URL. By ordering the displays in descending order of access level (Administrator first, Anonymous last), it is possible to have different renderings depending on the role of the logged in user. This allowed for a single menu entry that displayed only the data to which the user is entitled. This doesn't seem to work anymore in Drupal 8 and 9.

Steps to reproduce

  1. Create 2 users:
    • user1 with the profile Content editor
    • user2 with the authenticated user profile
  2. Create a view _test
  3. Duplicate the display
  4. Rename first display to Page user1 and set role access (for this display only) to Content Editor
  5. Rename second display to Page user2 and set role access (for this display only) to Authenticated user
  6. Login as user1 and go to /test
    • (The view is correctly displayed)
  7. Logout and login as user2 and go to /test
    • (Access is denied)
  8. Logout, login as admin and disable display Page user1, save and login as user2
    • (The view (Page user2) is displayed)

Proposed resolution

During checkAccess, each display must be checked, not only the first one and the route updated

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#3 Duplicate Display.png138.38 KBandregp
#3 Page user1 Display settings.png83.17 KBandregp
#2 Display 2 fail.png51.32 KBandregp
#2 Display 2 details.png143.45 KBandregp

Issue fork drupal-3255889

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

olivierh65 created an issue. See original summary.

andregp’s picture

andregp commented
Version: 9.3.x-dev » 9.4.x-dev
Assigned: Unassigned » andregp
StatusFileSize
new Display 2 details.png143.45 KB
new Display 2 fail.png51.32 KB

I followed the steps above and this problem also happens on version 9.4.x (as you can see on the images attached), I'll try to work on a patch.

andregp’s picture

andregp commented
Issue summary: View changes
StatusFileSize
new Page user1 Display settings.png83.17 KB
new Duplicate Display.png138.38 KB
andregp’s picture

andregp commented
Issue summary: View changes

Sorry for the files on #3. Please ignore them.

andregp’s picture

andregp commented
Issue summary: View changes
andregp’s picture

andregp commented
Assigned: andregp » Unassigned

I was able to reproduce the error, but wasn't able to find a solution so I'm unassigning myself.

lendude’s picture

lendude
Primary language Dutch
Location Amsterdam
commented
Category: Bug report » Feature request

See the explanation in #2659786: View having multiple page displays on same path does not respect different access rights, this changed between D7 and D8 because the routing in D8 is completely different.

The other issue was closed as 'work as designed', but was also suggested it could be moved to a feature request, which is what I will do for now.

happy047 made their first commit to this issue’s fork.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.