Problem/Motivation

Since #2692091: Use the new 'view label' entity access check in the entity reference label formatter the entity access check in the entity reference label formatter uses the "view label" operation.

AFAICT the change did not take the use case into account where the entity's label may be viewed, but the entity itself not, in conjunction with the show as link option.

If you configure the entity reference label formatter to output the referenced entities as links, it will also generate links to entities for which the user doesn't have access to. Clicking on this link will render an access denied page.

I would expect no links to be displayed for these entities and instead only the label.

Proposed resolution

Before creating a link to the entity, check if the user can actually view the entity.

CommentFileSizeAuthor
#2 3246579-2.patch783 bytesrp7

Comments

rp7 created an issue. See original summary.

rp7’s picture

rp7 commented
StatusFileSize
new 3246579-2.patch783 bytes

Patch attached could be a possible solution. Still needs a test, though.
Would love some insights as I might be overseeing something completely.

rp7’s picture

rp7 commented
Issue summary: View changes
berdir’s picture

berdir
Primary language German
Location Switzerland
commented

Makes sense. If you are using this for user entities then there's also the author formatter that uses the username template which basically does the same, but that will only work for users.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

This feels like a feature request to me - thoughts?

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

john.oltman’s picture

john.oltman commented

No, this is a bug. In fact, it's a security issue, as links to entities can reveal data about the entity that a site admin went to some lengths to protect. For example, depending on how a path alias is constructed, a link can reveal the entity ID, entity type, and potentially other fields as well.

john.oltman’s picture

john.oltman commented
Status: Active » Needs review

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs tests

This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.

Since this is a bug it will need a test case to show the issue.

Thanks!

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

kksandr’s picture

kksandr commented
Status: Needs work » Closed (duplicate)
Related issues: -#2692091: Use the new 'view label' entity access check in the entity reference label formatter +#3386313: The entity link label formatter should check URL access

I am closing this issue, since there is a similar one, but with a covered test and RBTC status.