Currently the field_access checks on entity form / entity view are done by WidgetBase::form() / FormatterBase::view().
- There are cases when you might want to use a widget even if the current user has no permissions to edit the field - e.g in a exposed view filter. (less sure about use cases for using a formatter while you have no permissions to view the field...)
- This being done in base methods, there is no guarantee that some widgets / formatters don't override it - possible holes.
In Vienna, @fago argued that #access should be the responsibility of the caller, not of widgets / formatters themselves.
Thoughts ?
Comment | File | Size | Author |
---|---|---|---|
#5 | widget_formatter_access_check-2151699-5.patch | 2.49 KB | jsbalsera |
Comments
Comment #1
sun+1 - That makes perfect sense in terms of separation of concerns.
Comment #2
plopescHi,
Here we are almost in the same situation than #2151693: Widgets / formatters should return unwrapped $elements. This could be an easy fix for
FormatterBase::view()
, but we should do a bit tricky code infield_invoke_method()
, creating an exception when $method == 'form' forWidgetBase::form()
Should we postpone this on #2095195: Remove deprecated field_attach_form_*(), given that this patch will cause conflicts with both #2151693: Widgets / formatters should return unwrapped $elements and #2095195: Remove deprecated field_attach_form_*()? Or maybe merge this issue with #2151693: Widgets / formatters should return unwrapped $elements and modify
field_invoke_method()
only once.Comment #3
yched CreditAttribution: yched commentedPostponing on #2095195: Remove deprecated field_attach_form_*() makes sense, yeah.
Comment #4
jsbalseraWorking on this
Comment #5
jsbalseraFirst patch, moving the #access keys to the caller functions.
Comment #6
plopescCool.
Looks good to me.
Thanks @jsbalsera!!
Comment #7
yched CreditAttribution: yched commentedRTBC +1. Thanks @jsbalsera !
Comment #8
alexpottCan we get a better issue title for the commit message?
Comment #9
effulgentsia CreditAttribution: effulgentsia commentedSure.
Comment #10
catchCommitted/pushed to 8.x, thanks!