To reproduce:
- create a node type
- add an entref field to it that points to users
- set its display formatter to 'Label', with no link.
- create a node and set some users in the field.
Now remove the 'view user profiles' permission from either the authenticated user or anon user roles.
Now view the node as various users:
- user without the permission: can see only themselves in the field (if they are in it)
- user with the permission: can see all field values.
This violates what the permission says. A user without the 'view user profiles' permission should still be able to see user *names* just not linked to the user profile page.
Comments
Comment #1
joachim commentedThe problem is here:
$item['access'] was set by checking entity_access('view', ...). Which tells you if you can see an entity. But for user entities the rules are slightly different -- if you can't view the user, you can still view the username (= the label).
Comment #2
joachim commentedWell this is ugly. Though not quite as ugly as I feared.
In this patch, I'm:
a. moving the skipping of items with no access to each formatter's loop. On the plus side, this saves us a foreach loop! :)
b. for the 'label' formatter, only do the skipping for non-user target entities
c. expand the code for determining whether or not to show a link (which is a good thing too IMO -- it was a pretty dense line of code!)
d. for user target entities, override the displaying of a link if the user had no permission. Because for users we skipped the skipping in b, this falls back to showing the username, which is the expected behaviour.
Comment #3
decibel.places commentedOMFG tearing my hair out trying to figure out why only admin can see the entityreference field...
Then I got a clue at #1412572: No access check when referred items are being viewed
https://drupal.org/node/1412572#comment-6054008
The patch applied to the 7.x-1.x branch cleanly - however there is still a slight difference in display with and without the View user profiles permission:
Without the permission, the text is plain, while with the permission, the text follows the field fomatting as a Label that links to the entity
but that's fine for my purposes
Comment #4
ivfc commentedThe patch in #2 worked great for me in solving this issue. Thank you!
Comment #5
dave kopecekYes!!! #2 Worked. joachim you are a RockStar. Thank you. This burned up several hours of my life that I'll never get back.
Comment #6
joachim commentedThanks for reviewing everyone!
I think this can go to RTBC.
Comment #7
damien tournoud commentedSorry but I cannot merge this. This is obviously a very big hack. I know the current behaviour is not optimal, but this is the only thing that Entity Reference can do without going into multiple entity type-specific hacks like this one.
Comment #8
joachim commentedThis would be covered by #1984130: referenced users output with the 'Label' formatter are not shown to users without the 'view user profiles' permission.