Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By mxr576 on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
10.4.x, 11.1.x
Introduced in version:
10.4.0, 11.1.0
Issue links:
Description:
The "Label" entity reference field formatter (\Drupal\Core\Field\Plugin\Field\FieldFormatter\EntityReferenceLabelFormatter) previously rendered entity labels as links to their respective entities, even when users lacked access to the destination URL. This behavior could inadvertently disclose information through URLs and result in a poor user experience, as users would encounter HTTP 403 errors upon clicking the links.
With this update, the "Label" entity reference field formatter will now only render entity labels as links if the user has access to the destination URL. If the user does not have access, the field formatter will display the labels as plain text.
This change may require updates to tests in contributed and custom code, as selectors that previously relied on the presence of link HTML tags will no longer be universally applicable.
Impacts:
Site builders, administrators, editors
Module developers
Themers
Site templates, recipes and distribution developers
