Views results empty for unprivileged user when using Relationship: Content: Referenced Product

fixed with latest dev's of views and commerce but now getting the https://drupal.org/node/1265152 error

Experiencing same issue for anonymous users (Views 7.x-3.x-dev) when using Referenced Product (Commerce 7.x-1.x-dev). Other content views functioning properly. Attempted rebuilding permissions, flushing cache, modifying Views access by Role then Permission but no success. Subscribing.

#1 comment on the mentioned issue above solves this

but can someone confirm that "Disable Query Rewritting" does not create other problems ?

my view was working fine until I updated views to dev version 10 days ago

EDIT:
this is the warning in the query settings

#4 worked for me.

#4 worked for me .

#6 worked for me.

but is the best solution?

Subscribe.

I have the same problem, #4 works for all views except cart #6 works for cart.

This only happened to me after I updated to the latest release of views.

#4, #6 cant be a long term solution to the problem, is there any progress on fixing this?

IMO this is probably not a bug. We're giving access to products through a view like this, and an anon user doesn't have privileges on them.

The relevant views discussion is in #1222324: Fix query access control on relationships

This is critical, as it breaks an enormous number of existing installs. It is in fact a result of #1222324: Fix query access control on relationships and I'm not sure what we should do about it. There are piles of views that depend on the old behavior.

Randy, can you clarify for me how the other issue interacts with this one? I don't know the history behind it, but it looks like you bumped this to critical even though the problem is a bug in Views itself. Is the issue jus with the Views 3.0-rc3 release, or is it still just in Views dev?

This issue is back to the state of the original report using commerce -dev and views -dev -- anonymous users can't see their cart.

Ryan, Randy - what is the recommended quickfix when having this issue? Should I give "View any Product product" privilege to anon users?

I took a quick look at the permissions on product entities. If I enable view any product type for anon users, they are still unable to access products at admin/commerce/products/1234, but the access control on the menu item itself is just commerce_product_access, which would allow it. I'm assuming anon users are bumped out of anything below admin/* by parent menu items. Seems like it might also accidentally allow access to view the entity at other URLs perhaps added by third party modules.

It would be quite straightforward to add a new permission to "view products of any type in queries" and change commerce_product_query_commerce_product_access_alter() to check that permission in addition to the built in entity permission, give anon users access by default and add a simple update script.

#5 does not allow for an anon user to view a cart though. It only allows them to view the products.

I've just checked and #6 fixes the issue and does allow anonymous users to view their carts. At least, for me it does.

Anyways, I have a question of another kind. On permissions page it says that if I give away "View any product of any type" permission, that would be a security issue. But admin pages with enlisted products are still closed for anonymous users. So, what is the danger of giving it away?

I am also using #6 and can confirm it is working. But, I am also concerned about security implications.

Any detail what the implications are or how at risk we are for using this workaround?

#5 works for me .

tnx @GiorgosK

@Aussiejen, you can show the attributes in the cart by amending your view. I'm putting together something similar, although it's just sizes. My line items show the size alongside the product.

I have put the attributes in the cart by amending the view, but I did need to implement #6 to make the cart visible to anonymous users

#5 worked and $6 also worked for me but still haven't seen an answer above as to which is better to do, so... subscribing.

sorry just a mistake

#5 Works good so far. Will this be the final solution?

Kirk

Removing "1.1 blocker" tag as 1.1 is out since 2011-Nov-29.

I used #5 and it worked... still a bit nervous as to working with "quick fixes" :) but for now it will do.

Thanks for the help...hope to see this "feature" resolved soon :)

@ajaysolutions, You don't need to post a comment to "subscribe" any more; there is a "Follow" button in the upper-right corner of the issue page. Thanks!

lol If only we were on Facebook so I could "Like" your comment. ; )

hmmm...good idea Ryan! Drupal.org should incorporate the 5star rating module or a similarly a "Like" option :)

For a while now there's been a fix in Views (now part of 3.1) and patches by bojanz to attempt a solution in Commerce as well. I'd be interested in seeing if the patch in #1323366: Query access fails in certain cases on post-RC1 Views fixes this for anyone before marking this a duplicate.

hmmm...with the latest updates it's still a problem...so far the only real "quickfix" is #5 "Disable Query Rewritting"

Guys, I recently had to explain to a colleague the implications of disabling SQL rewriting, so I thought it would be useful to share it here. However, can someone who knows SQL rewriting intimately please validate that this is correct?

So my attempt at a layperson's explanation goes like this... feedback please:

Whenever there is access control involved, query rewriting is used. So for example, if you want the results of a view to be filtered by a specific user, or specific role, then query rewriting is used.

This applies when you are relying on Drupal to do the filtering based on user permissions. For example, if in the user permissions you specify that an order can only be viewed by the person who made the order, and then you create a view that lists all orders in the system, the result of the views will contain only orders belonging to the currently logged in user. So, internally, Views goes and gets everyone's orders, then asks Drupal which one of those orders it should display. Drupal then uses the query rewrite to tell Views how to filter the results.

If you turn off query rewriting, Views will not go and ask Drupal to filter the results, and will display everything. Which is probably what you don't want.

But, you can still achieve the same effect by getting Views to take more control of the results, and applying that filtering within Views itself. If you do this, then it doesn't matter whether query rewriting is enabled or now... the View you create wil be doing the filtering based on the rules you give it.

Which is why, in the warning message that comes up in Views when you disable query rewriting, it says:

"This may allow users to see data they should not be able to see if your view is misconfigured"

Note the bold text. Basically, it doesn't say that it will open up a security hole, full stop. It says that it *may* open up a security hole (which allows users to view unauthorised content), if you do not explicitly handle that access control filtering within Views itself.

And disabling the query rewrite only affects that view for which you have disabled it for. It does not mean the whole system now ignores query rewriting.

What I would suggest is:

1. If the info you want to display with Views isn't ultra sensitive (eg if you don't mind one user accidentally seeing another user's orders), then disable it for now while we wait for a fix. But,

2. Make sure you explicitly handle any access control requirements and filtering within the View itself.

#5 solved my problem.

#5 is work. Turns out that the use of unsafe Commerce?

@Caone: try to clear your cache it should work

We are using the "Disable SQL rewriting", however I can't figure out (and no answer in this issue) what the view product permissions security issue
"Warning: Give to trusted roles only; this permission has security implications." is. And if it is an issue, why a new permission is not created instead of disabling it all together using the "Disable SQL
rewriting".
I also think 'Semantically' that the "view products" permission should be 'true' by default and any security involved should be moved to another permission.
And that not only views use this permission but all other places like the product reference formatter

thanks @rfay,
I would much prefer to enable the "View any product of any type" then use the "Disable SQL rewriting" as we have no special conditions for products.

We didn't find any security reason why not to. its only that If something does go wrong and and we ignored a security warning...

Sounds to me like this issue can be closed down by rewording the permission description.

I can see this feature of not showing products to anonymous users very helpful if you've got a subscription-based service or sell very kinky stuff but by default I think the concept of an online store is to show your products to anyone.

I'm running a drupal commerce website for a client now for less than a month (20 000 pageviews, 3000 visitors, plenty sales) and have not come across anything that looks suspicious or security holes that I can see so I guess the "Disable SQL Query" warning is perhaps just a fineprint to cover all bases :)

DRUPAL COMMERCE ROCKS!!!