Link fields do not check access for entity refs

Created on 1 May 2018, over 6 years ago

Updated 14 May 2024, 4 months ago

A 'link' field allows users to either enter an external link or use autocomplete for an existing entity in the system. If a user enters an autocompleted node with restricted access into a link field (entity reference - not a hardcoded path), the link will still print.

Consider the following:
- Clean D8 install - create a custom block_content block with one 'link' field with unlimited cardinality
- Add two 'Articles' - one published, one unpublished
- Add both articles to your new block_content block just created
- Place the block
- Note both articles print

Ideally this would work like the entity reference field, and when we know we have a entity ref to a node, access would be respected for those.

I tried searching issue queue for similar report (thought there may be some history behind this issue), but didn't find anything. Apologies if this is a duplicate.

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Link →

Last updated 3 days ago

Maintained by
🇧🇷Brazil @Mac_Weber

Created by

🇺🇸United States trwill

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 4 months ago →
🇺🇦Ukraine s.kulyk
Updated patch to use the access check function in LinkSeparateFormatter.
Comment 4 months ago →
🇺🇦Ukraine solariel
Updated patch #23 to apply on latest core version

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024