Problem/Motivation

The CSV icon/link appear on the parent view and assume that the parent view and attached view have the same access conditions. If the parent view and the export view have different access rules this can lead to the CSV button being rendered and then leading to a 403 once clicked on.

Proposed resolution

Run an access check on the export display prior to rendering the CSV icon/link on the parent view.

Remaining tasks

Tests

User interface changes

CommentFileSizeAuthor
#6 views_data_export_icon_access_2851939-6.patch601 bytesthtas
#5 views_data_export_icon_access_2851939-5.patch602 bytesthtas
#2 views_data_export_icon_access_2851939.patch2.46 KBJuterpillar
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Juterpillar created an issue. See original summary.

Juterpillar’s picture

Juterpillar CreditAttribution: Juterpillar at Catalyst IT commented
FileSize
views_data_export_icon_access_2851939.patch2.46 KB

I've attached a patch that implements an access check before rendering the CSV button/link.

Mikael Berger’s picture

Mikael Berger CreditAttribution: Mikael Berger as a volunteer commented
Related issues: +#1985960: Don't show attachment link if user does not have access
Mikael Berger’s picture

Mikael Berger CreditAttribution: Mikael Berger as a volunteer commented

The patch seems to work, I have implemented it in a site built with Drupal 8.3.7 and all is good.

thtas’s picture

thtas CreditAttribution: thtas commented
FileSize
views_data_export_icon_access_2851939-5.patch602 bytes

A different version of the patch attached with the same logic, just less lines of code changed.

thtas’s picture

thtas CreditAttribution: thtas commented
FileSize
views_data_export_icon_access_2851939-6.patch601 bytes

oops - fixed patch

kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Status: Active » Needs review

Don't forget to mark it as needing review once you add a patch, otherwise people won't realize that there was progress made. :)

The last submitted patch, 2: views_data_export_icon_access_2851939.patch, failed testing. View results

kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Status: Needs review » Needs work

This change seems good to me and I've tested it out. The only thing that would be great to have is an automated test to ensure that a regression doesn't pop up.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented

Interesting. This also happens with the core Rss and Opml style plugins, so an ideal fix would be in core (which just seems like not calling the attachTo() method would suffice).

Can you add a core bug, then a @todo comment to this patch noting that the code can be removed once the core bug is fixed (and also a link to the bug in the code comment).

kevin.dutra’s picture

kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commented
Related issues: +#3047216: Displays are attached even when user does not have access

Opened core issue #3047216: Displays are attached even when user does not have access

matslats’s picture

matslats CreditAttribution: matslats commented

The latest 1.0 release of June 20 seems not to have included the patch #6 and prevented it from applying...
Has the bug been fixed in another way?

matslats’s picture

matslats CreditAttribution: matslats commented
Status: Needs work » Fixed

Yep I think the bug was fixed another way

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.