Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The CSV icon/link appear on the parent view and assume that the parent view and attached view have the same access conditions. If the parent view and the export view have different access rules this can lead to the CSV button being rendered and then leading to a 403 once clicked on.
Proposed resolution
Run an access check on the export display prior to rendering the CSV icon/link on the parent view.
Remaining tasks
Tests
User interface changes
Comment | File | Size | Author |
---|---|---|---|
#6 | views_data_export_icon_access_2851939-6.patch | 601 bytes | thtas |
| |||
#2 | views_data_export_icon_access_2851939.patch | 2.46 KB | Juterpillar |
Comments
Comment #2
Juterpillar CreditAttribution: Juterpillar at Catalyst IT commentedI've attached a patch that implements an access check before rendering the CSV button/link.
Comment #3
Mikael Berger CreditAttribution: Mikael Berger as a volunteer commentedComment #4
Mikael Berger CreditAttribution: Mikael Berger as a volunteer commentedThe patch seems to work, I have implemented it in a site built with Drupal 8.3.7 and all is good.
Comment #5
thtas CreditAttribution: thtas commentedA different version of the patch attached with the same logic, just less lines of code changed.
Comment #6
thtas CreditAttribution: thtas commentedoops - fixed patch
Comment #7
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedDon't forget to mark it as needing review once you add a patch, otherwise people won't realize that there was progress made. :)
Comment #9
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedThis change seems good to me and I've tested it out. The only thing that would be great to have is an automated test to ensure that a regression doesn't pop up.
Comment #10
jhedstromInteresting. This also happens with the core Rss and Opml style plugins, so an ideal fix would be in core (which just seems like not calling the
attachTo()
method would suffice).Can you add a core bug, then a
@todo
comment to this patch noting that the code can be removed once the core bug is fixed (and also a link to the bug in the code comment).Comment #11
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedOpened core issue #3047216: Displays are attached even when user does not have access
Comment #12
matslats CreditAttribution: matslats commentedThe latest 1.0 release of June 20 seems not to have included the patch #6 and prevented it from applying...
Has the bug been fixed in another way?
Comment #13
matslats CreditAttribution: matslats commentedYep I think the bug was fixed another way