When you create a new view, by default there is no permission check unless you add one manually. So for example if anonymous users don't have 'access content' permission, they can still see node listings in a view if you forget to add that permission.
We discussed adding 'access content' by default, but merlinofchaos pointed out it's not that simple: "The problem with defaulting this way is that a 'users' view shouldn't default to 'access content'. That means you need different defaults per view type, which is not something Views supports at all."
Any other way this could be handled? Maybe an extra note in the help somewhere would be sufficient?
Comment | File | Size | Author |
---|---|---|---|
#8 | views-817360.patch | 1.48 KB | John Morahan |
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedWell, why not require 'access content' by default for all types? Folks can remove it if they want.
Comment #2
merlinofchaos CreditAttribution: merlinofchaos commentedI am completely and 100% against adding default settings to a View that you have to remove if you aren't using it for the obvious listing of nodes.
Comment #3
moshe weitzman CreditAttribution: moshe weitzman commentedYou only have to remove it if you actually have a class of users who don't have 'access content' and those same users are allowed to see what you are listing. I contend that this is a severe edge case. The benefit of preventing a common security hole outweigh the edge case inconvenience, IMO. Its a choice of least evil.
Comment #4
izmeez CreditAttribution: izmeez commentedThis was one of the things that hit me by surprise when I started using Drupal.
I think it would be more intuitive if the Views default restricted access to authenticated users.
This would at least close the "security hole" for unsuspecting newcomers and developers can then change this as they like.
Izzy
Comment #5
AlexisWilke CreditAttribution: AlexisWilke commentedmerlinofchaos,
Looks like you're outweigh here... 8-)
I would tend to say that no protection would make sense since 99% of my views don't require it. But it is also a security issue because beginners won't know and as an admin we tend to forget to test such things as an anonymous user... (especially beginners.)
That would be my vote: I'd be an annoyance in most cases, but probably a good idea. Although, if it uses the 'access content' permission, then it would not be so bad since most people have that turned on for everyone. Thus, it would work as before.
Thank you.
Alexis
Comment #6
merlinofchaos CreditAttribution: merlinofchaos commentedI'm sorry. Should I put your name as the Views maintainer, then? This is opensource. It is collaboration, but at no time is this democracy.
Comment #7
merlinofchaos CreditAttribution: merlinofchaos commentedBTW, what I *would* accept is an analyze routine that might check to see if 1) it's a node view 2) 'access content' is not available to both anonymous and authenticated users, 3) the view has no access control set.
This is precisely how I dealt with the 'no default filter for published nodes' issue, for exactly the same reasons.
Comment #8
John Morahan CreditAttribution: John Morahan commentedComment #9
izmeez CreditAttribution: izmeez commentedYes, in open source it is necessary to convince the maintainer(s) of the merits for any changes.
I'm certainly not comfortable with tying the views access to the content access permissions
but if the suggestion is to use those settings as a default it might be okay for beginners
and still retain configuration at the views level.
If setting default access to authenticated users is not favoured, I wonder if an access status/warning could be included on the "/admin/build/views" page?
For beginners it might need to be highlighted at all times when access is not restricted or it could be highlighted when access is different from the access content permissions.
Just a thought, cheers,
Izzy
Comment #10
AlexisWilke CreditAttribution: AlexisWilke commentedmerlinofchaos,
I'm also supporting many modules here and offer many patches to the maintainers who support modules I use (oddly enough, including views.)
Now a better approach, I think, is to offer the user to do it for $X. If they have the money, you win, if they don't, who cares?
As I said, since I'm not a beginner anymore, I don't care much.
One more thing: the views properly respect the node grants (at least, from what I've seen with the to_do module that I took over.) So users who hide pages "properly" using grants won't have any problems.
Thank you for all your efforts.
Alexis
Comment #11
dawehnerPersonally i would support this patch but not adding such a filter by default. This would need quite some specific stuff. Views is written abstract
Comment #12
merlinofchaos CreditAttribution: merlinofchaos commentedCommitted to all branches.