It seems that, based on the security changes recently added as a result of https://drupal.org/node/2140237, Entity reference is a tad bit overzealous with protecting node labels.

I may misunderstand this, but it seems that when entities are defined, they may specify an "access callback" function which returns definitively whether a user has access to its entity.

This does not seem to be required, however, and in the case that it is not, the returned value will simply be "null".

Since null is not truthy, of course, Entity reference will [currently] misconstrue this as denied access, when in fact access is NOT denied. As such, Entity reference needs to check whether the returned value is explicitly "false".

This patch should do that.

CommentFileSizeAuthor
entityreference-label_access_respecting_null.patch867 bytesOfflein

Comments

Offlein’s picture

Offlein commented

A more-concise version of this same patch was just created at #2153463: Restricted access results with user entityreference, although I'm not sure if the parent issue is the same as what's solved in our patches.

anybody’s picture

anybody
Primary language German
Location Porta Westfalica
commented
Status: Needs review » Closed (duplicate)

Yes, this is a duplicate. Let's close this and continue in the other thread. I've also set the other issue as major.

cortlandd’s picture

cortlandd commented

Check permissions under User, and make sure whatever the user permission is they can "View user profiles".

phuocdv’s picture

phuocdv commented

#3 work for me
you need permission "View user profiles" in link "/admin/people/permissions"