Query access fails in certain cases on post-RC1 Views [#1323366]

commit 0b273e947fd290bc50ce758ca54437210f95cc41
Author: Daniel Wehner <daniel.wehner@erdfisch.de>
Date:   Sun Aug 28 16:54:17 2011 +0200

    #1222324 by dereine: Apply access tags of relationships to the query

diff --git a/handlers/views_handler_relationship.inc b/handlers/views_handler_relationship.inc
index 3b5c9fa..6bd54b3 100644
--- a/handlers/views_handler_relationship.inc
+++ b/handlers/views_handler_relationship.inc
@@ -123,6 +123,12 @@ class views_handler_relationship extends views_handler {
     $alias = $def['table'] . '_' . $this->table;
 
     $this->alias = $this->query->add_relationship($alias, $join, $this->definition['base'], $this->relationship);
+
+    // Add access tags if the base table provide it.
+    if (empty($this->query->options['disable_sql_rewrite']) && isset($table_data['table']['base']['access query tag'])) {
+      $access_tag = $table_data['table']['base']['access query tag'];
+      $this->query->add_tag($access_tag);
+    }
   }

We create a line item view. We add a relationship to an order.
Then Views adds both the query tag for line items, and the query tag for orders.
The query tag for line items already handles the access for orders, calling commerce_entity_access_query_alter() for commerce_order
with the appropriate base table. The problem is in the second, extra tag that now gets added.

In that case, commerce_entity_access_query_alter() gets called for commerce_order, but without the base table specified.
So the base views table gets taken instead, leading to a condition on "commerce_line_item.uid" instead of "commerce_order.uid", which fails because line items don't have a uid column.

Comment	File	Size	Author
#5	1323366-exception.patch	2.05 KB	bojanz
#5
#3	1323366.patch	742 bytes	bojanz
#3
#1	1323366.patch	1.95 KB	bojanz
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

bojanz CreditAttribution: bojanz commented 27 October 2011 at 11:24

Status:

Active

» Needs review

File	Size
1323366.patch	1.95 KB

This is a quick fix I did to keep a client site running. Basically checks if the detected base table matches the base table for the specified entity type, aborts if it doesn't.

This seems like something we should fix before Commerce 1.1

Comment #2

bojanz CreditAttribution: bojanz commented 27 October 2011 at 12:43

Looks like this will get fixed in Views: http://drupal.org/node/1222324#comment-5169140
Leaving the issue here for now, for visibility.

Comment #3

bojanz CreditAttribution: bojanz commented 27 October 2011 at 14:43

File	Size
1323366.patch	742 bytes

Okay, Damien provided a proper Views patch that fixes the main problem.

What remains to be done in Commerce is making it search for "base_table" instead of "base table" in the query metadata (which is the key that Drupal core, Entityreference, and Views use). It's basically a typo fix.
Attaching the patch. Can be committed right away.

Comment #4

Damien Tournoud CreditAttribution: Damien Tournoud commented 27 October 2011 at 14:53

Status:

Needs review

» Needs work

Merged #3 into 7.x-1.x. Do we want to add an exception in the case we fail to detect a base table that matches ours?

Comment #5

bojanz CreditAttribution: bojanz commented 27 October 2011 at 15:26

Status:

Needs work

» Needs review

File	Size
1323366-exception.patch	2.05 KB

Okay, so we agreed to do a patch that compares $base_table with $entity_info['base table'], throws an exception if they don't match.
That way if we don't trip up someone who tries to use the access system incorrectly.

To be committed once the fix lands into Views, so that we can tell people what to update.

Comment #6

rszrama CreditAttribution: rszrama commented 15 December 2011 at 02:13

Wait a minute... does this solve #1276450: Views results empty for unprivileged user when using Relationship: Content: Referenced Product?

Comment #7

bojanz CreditAttribution: bojanz commented 15 December 2011 at 08:57

#1 should, in all its hackiness.

Comment #8

rszrama CreditAttribution: rszrama commented 15 December 2011 at 14:45

But not #5?

Comment #9

bojanz CreditAttribution: bojanz commented 15 December 2011 at 14:46

No, #5 will throw an exception.

Comment #10

rcross CreditAttribution: rcross commented 29 May 2012 at 02:29

Priority:

Normal

» Major

is there anything else we can do to move this along? I'm surprised I've seen 2 releases of commerce without this being fixed. I'm not sure if #1276450: Views results empty for unprivileged user when using Relationship: Content: Referenced Product is a duplicate or this, but either way these are major issues.

Comment #11

rszrama CreditAttribution: rszrama commented 13 February 2013 at 10:12

Priority:	Major	» Normal
Status:	Needs review	» Closed (duplicate)

As it turns out, we actually had a note in commerce_entity_access_query_alter() placing the onus on the caller of the function to ensure the first table in the tables list is the base table for the entity type given if a base table is not passed in as the third argument. We simply weren't obeying our own instructions in commerce_order_query_commerce_order_access_alter(). Thanks to some work in #1879260: More robust query altering for line items, I applied a fix in the latter function there that searches through the tables list to find the commerce_order table and passes in the proper alias to commerce_entity_access_query_alter(). In the event that it can't find one, it will simply not do anything, which would actually be fine in the core use cases where the conditions have already been added anyways.

Closing this one as a duplicate unless anyone has an edge case I'm missing that they think requires this to be re-opened.