To reproduce:

- create a node type
- add an entref field to it that points to users
- set its display formatter to 'Label', with no link.
- create a node and set some users in the field.

Now remove the 'view user profiles' permission from either the authenticated user or anon user roles.

Now view the node as various users:

- user without the permission: can see only themselves in the field (if they are in it)
- user with the permission: can see all field values.

This violates what the permission says. A user without the 'view user profiles' permission should still be able to see user *names* just not linked to the user profile page.

Comments

joachim’s picture

The problem is here:

  // Rebuild the items list to contain only those with access.
  foreach ($items as $key => $item) {
    if (empty($item['access'])) {
      unset($items[$key]);
    }
  }

$item['access'] was set by checking entity_access('view', ...). Which tells you if you can see an entity. But for user entities the rules are slightly different -- if you can't view the user, you can still view the username (= the label).

joachim’s picture

Status: Active » Needs review
StatusFileSize
new2.93 KB

Well this is ugly. Though not quite as ugly as I feared.

In this patch, I'm:

a. moving the skipping of items with no access to each formatter's loop. On the plus side, this saves us a foreach loop! :)
b. for the 'label' formatter, only do the skipping for non-user target entities
c. expand the code for determining whether or not to show a link (which is a good thing too IMO -- it was a pretty dense line of code!)
d. for user target entities, override the displaying of a link if the user had no permission. Because for users we skipped the skipping in b, this falls back to showing the username, which is the expected behaviour.

decibel.places’s picture

OMFG tearing my hair out trying to figure out why only admin can see the entityreference field...

Then I got a clue at #1412572: No access check when referred items are being viewed
https://drupal.org/node/1412572#comment-6054008

The patch applied to the 7.x-1.x branch cleanly - however there is still a slight difference in display with and without the View user profiles permission:

Without the permission, the text is plain, while with the permission, the text follows the field fomatting as a Label that links to the entity

but that's fine for my purposes

ivfc’s picture

The patch in #2 worked great for me in solving this issue. Thank you!

dave kopecek’s picture

Yes!!! #2 Worked. joachim you are a RockStar. Thank you. This burned up several hours of my life that I'll never get back.

joachim’s picture

Issue summary: View changes
Status: Needs review » Reviewed & tested by the community

Thanks for reviewing everyone!

I think this can go to RTBC.

damien tournoud’s picture

Status: Reviewed & tested by the community » Closed (won't fix)

Sorry but I cannot merge this. This is obviously a very big hack. I know the current behaviour is not optimal, but this is the only thing that Entity Reference can do without going into multiple entity type-specific hacks like this one.