User reference fields can reference anonymous users even when they are configured not to

Created on 6 April 2016, about 9 years ago

Updated 19 July 2023, over 1 year ago

When configuring an entity reference field for users, you can choose to disallow anonymous user selection. However, this only works when providing the list of autocomplete values, but is completely ignored during validation. It seems that this bug even allows you to bypass the "required" flag of the field.

You can see this bug by:

Using any user reference field with the autocomplete widget
Configuring it to disallow anonymous users
Manually typing in "Anonymous (0)" or really "Anything foo bar (0)", as long as it ends with "(0)"
Saving the content

Expected behavior:
The entity reference autocomplete widget should throw a validation error saying "Foo bar (0)" is invalid, just like it would with "Foo bar".

When showing radio buttons, people with 'administer users' are shown Anonymous as an option because of some logic in UserSelection not setting any condition and thus selecting all users (including UID 0) from the {users} table.

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Entity →

Last updated 1 day ago

Maintained by
🇬🇧United Kingdom @catch
🇨🇭Switzerland @berdir
🇩🇪Germany @hchonov

Created by

🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇬🇷Greece balis_m
Patch from #51 does not apply to Drupal 10.1.1. So, I rerolled it.
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update over 1 year ago
Patch Failed to Apply
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update over 1 year ago
29,401 pass, 7 fail

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024