Problem/Motivation

We've built a custom users dashboard (more filters than the view provided by the core, an access based on a custom permission, a custom path and we needed it in a custom admin toolbar submenu to group it with others custom dashboards)

In this view we added a views.combine filter.
It is configured as follow:

  • exposed to the users
  • unique filter
  • operator: "contains"
  • combined fields: user.name + user.mail

Giving our custom permission to the roles we want allow them to access the dashboard and they can see the users list because we also gave them the 'access user profiles' permission.

One of the roles also have the 'administer users' permission and it can use the filter without any problem ; the other role doesn't have the 'administer users' permission and when a user with this role is trying to use the filter it leads him to a 404 page not found (it's the same url than the original list but providing a value for that filter causes this behavior).

Demo

Comments

MacSim created an issue. See original summary.

cilefen’s picture

cilefen commented

What happens if you remove user.mail from the filter?

macsim’s picture

macsim commented

@cilefen, if I remove user.mail the filter is working as expected - no 404 (I mean almost working as expected... I can't filter by the mail anymore)

cilefen’s picture

cilefen commented

Can users with “access user profiles” permission usually see email addresses, on user profiles?

macsim’s picture

macsim commented

The email field is not displayed on the user page, so no he can't.
Except for those who have a login name equals to their email

cilefen’s picture

cilefen commented

Could this be something you must do in custom code to make the email visible to users who don’t have the “administer users” permission rather than a bug?

macsim’s picture

macsim commented

According to the fact that the "administer users" permission opens the access to /admin/users, by default there's no way for someone not having this permission to access the filter on this page. And since our dashboard is not the same thing and doesn't work the same way, you're probably right. I am gonna try to.

Should we change the status to "closed (won't fixed)" / "closed (works as designed)" or do you want to keep it "active" until my tests are done?

cilefen’s picture

cilefen commented
Category: Bug report » Support request

We can do this.

macsim’s picture

macsim commented
Status: Active » Closed (works as designed)

And we can do this too since you helped me a lot and I just noticed a "view user email addresses" permission that was brought in core 9.2 with this issue https://www.drupal.org/project/drupal/issues/2799049 which fixes my use case.

It was right in front of me since the beginning 😅

Thank you really much for your patience and help @cilefen ! 🫵👍