-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #3339566 by vnech: Entity access is ignoring in "Custom content list block" block type #3305
Issue #3339566 by vnech: Entity access is ignoring in "Custom content list block" block type #3305
Conversation
Thanks for contributing towards Open Social! A maintainer from the @goalgorilla/maintainers group might not review all changes from all teams/contributors. Please don't be discouraged if it takes a while. In the meantime, we have some automated checks running and it might be that you will see our comments with some tips or requests to speed up the review process. 😊 |
86844f6
to
8a30c02
Compare
…ntent list block" block type
8a30c02
to
5daf76a
Compare
@@ -162,6 +172,13 @@ static function ($field_name) use ($block_content) { | |||
->loadMultiple($entities); | |||
|
|||
foreach ($entities as $key => $entity) { | |||
// @todo Better to move to entity query check but |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nechai could you explain more (here in GitHub comment) how did you try to make it better and why it didn't work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, this needs a bit more explaining on why this change is needed, also release notes are a bit vague. Ideally we would write tests for this, so we don't break it in the future again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I mean here that group visibility doesn't implemented on query level... To achieve this we should rewrite default group query access handler. This work require deeper investigation and refinement as can have critical impact on the whole distro.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -162,6 +172,13 @@ static function ($field_name) use ($block_content) { | |||
->loadMultiple($entities); | |||
|
|||
foreach ($entities as $key => $entity) { | |||
// @todo Better to move to entity query check but |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, this needs a bit more explaining on why this change is needed, also release notes are a bit vague. Ideally we would write tests for this, so we don't break it in the future again.
Tugboat has finished building the preview for this pull request! Link: Dashboard: |
5 similar comments
Tugboat has finished building the preview for this pull request! Link: Dashboard: |
Tugboat has finished building the preview for this pull request! Link: Dashboard: |
Tugboat has finished building the preview for this pull request! Link: Dashboard: |
Tugboat has finished building the preview for this pull request! Link: Dashboard: |
Tugboat has finished building the preview for this pull request! Link: Dashboard: |
@nkoporec I agree that would be nice to have behat tests for that feature but as there are a lot of cases that need to be covered (custom content list block can display any content entity in OS) I suggest to create a follow up for tests (currently I don't have a time to work on it). |
Hi @nechai and @nkoporec |
🍒 picked to 11.6.x, 11.7.x, 11.8.x |
Problem
Anonymous users can see
![alt](https://camo.githubusercontent.com/7ec7b3cf1968f3a36aea73481e2a1fb9b5f79ca7319009d504e322a3c08e62b5/68747470733a2f2f7777772e64727570616c2e6f72672f66696c65732f6973737565732f323032332d30322d30362f53637265656e73686f74253230323032332d30322d3036253230617425323031322e33332e34332e706e67)
community
secret
flexible group teasers in "Custom content list block" block:Should be:
![alt](https://camo.githubusercontent.com/63d25004e3d356af6a751630bc6d9492dc0b00c4d0c55b690aa00f97d8d052db/68747470733a2f2f7777772e64727570616c2e6f72672f66696c65732f6973737565732f323032332d30322d30362f53637265656e73686f74253230323032332d30322d3036253230617425323031322e34302e34332e706e67)
Solution
Add access check before entities view build.
Issue tracker
Theme issue tracker
n/a
How to test
public
,community
,secret
Definition of done
Before merge
After merge
Screenshots
Before changes:
![alt](https://camo.githubusercontent.com/7ec7b3cf1968f3a36aea73481e2a1fb9b5f79ca7319009d504e322a3c08e62b5/68747470733a2f2f7777772e64727570616c2e6f72672f66696c65732f6973737565732f323032332d30322d30362f53637265656e73686f74253230323032332d30322d3036253230617425323031322e33332e34332e706e67)
After changes:
![alt](https://camo.githubusercontent.com/63d25004e3d356af6a751630bc6d9492dc0b00c4d0c55b690aa00f97d8d052db/68747470733a2f2f7777772e64727570616c2e6f72672f66696c65732f6973737565732f323032332d30322d30362f53637265656e73686f74253230323032332d30322d3036253230617425323031322e34302e34332e706e67)
Release notes
Now "Custom content list block" block displays only content (and groups) that user has access to.
Change Record
n/a
Translations
n/a