A 'link' field allows users to either enter an external link or use autocomplete for an existing entity in the system. If a user enters an autocompleted node with restricted access into a link field (entity reference - not a hardcoded path), the link will still print.
Consider the following:
- Clean D8 install - create a custom block_content block with one 'link' field with unlimited cardinality
- Add two 'Articles' - one published, one unpublished
- Add both articles to your new block_content block just created
- Place the block
- Note both articles print
Ideally this would work like the entity reference field, and when we know we have a entity ref to a node, access would be respected for those.
I tried searching issue queue for similar report (thought there may be some history behind this issue), but didn't find anything. Apologies if this is a duplicate.
Needs work
11.0 π₯
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.