[5.x] Authorize relationship fieldtype data#14718
Merged
Merged
Conversation
Gates the relationship and assets fieldtypes so they no longer disclose resources the requesting user cannot view. Listing now gates on the parent container or the relevant permission (mirroring the CP listings); by-id resolution authorizes each item and returns a redacted placeholder for unauthorized or not-found ids. Covers the relationship, assets-fieldtype, and field-meta (preload) endpoints. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Structures back onto collections and navs; gate each item through the backing resource's policy (CollectionPolicy/NavPolicy) instead of a coarse configure-collections-or-navs check, which both leaked across types and was over-restrictive. Clarifies the AssetFolder dynamic-container case. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Unviewable or missing relationship and asset selections now render as a muted, non-error placeholder with a tooltip covering both the deleted and no-permission cases, instead of the red broken state. Also fixes a crash where an unauthorized asset placeholder hit a TypeError in the asset field. Frontend only; the uniform backend placeholder is unchanged so no existence oracle is introduced. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ip listings The relationship picker now returns an empty result set when the user lacks access to a listing, matching its existing filter-to-viewable behavior, instead of a 403 that surfaced as an error in the picker UI. Also ensures the zero-viewable case does not expose columns from a blueprint the user cannot view. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…load Relationship preload derived listing columns from the configured collection's blueprint without authorizing it, exposing column metadata via the field-meta endpoint. Columns are now derived only from collections the user can view, falling back to the default columns otherwise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors the collection fix: term relationship columns are now derived only from taxonomies the user can view, falling back to the default columns otherwise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jasonvarga
changed the title
jasonvarga
added a commit
that referenced
this pull request
May 22, 2026
This commit intentionally avoids trying to resolve frontend changes from PR #14718 - they are cosmetic and will come in a future commit. # Conflicts: # resources/css/components/assets.css # resources/css/components/items.css # resources/js/components/fieldtypes/assets/Asset.js # resources/js/components/fieldtypes/assets/AssetRow.vue # resources/js/components/fieldtypes/assets/AssetTile.vue # resources/js/components/inputs/relationship/Item.vue # resources/lang/de/messages.php # resources/lang/de_CH/messages.php # src/Fieldtypes/Entries.php # src/Fieldtypes/Terms.php
This was referenced May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relationship-style fieldtypes (Entries, Terms, Users, Assets, Structures, etc.) returned data to the CP without checking the user could view it. This scopes them to the user's permissions, using each resource's existing policy/permission — so super admins and existing grants are unaffected.
Frontend: unviewable selections render as a muted placeholder (value preserved, still removable) instead of the red "broken" state; also fixes a crash in the asset field's placeholder.
Behavior note: Entries/Terms listings previously returned a 403 when the user could view none of the configured collections/taxonomies. They now return an empty list, consistent with the rest of the picker.