Contrib.social

Views results do not respect Group permissions

Open on Drupal.org →
Created on 15 December 2019, over 4 years ago
Updated 30 November 2023, 7 months ago

Not sure if I am doing something wrong, but it seems that due to views caching, the views results are not updated between different users when showing group content. As a result, two different users which have access to two different private groups, will see the same results in the view.

Steps to reproduce:
1) Create two users, userA and userB.
2) Create a new ContentType and a new GroupType. The Group Type will be private, so only members can access the group content.
3) Add the Content Type as available content for the Group Type.
4) Create two different Groups and assigne userA as member to GroupA and userB as member to GroupB.
5) Add some group content with userA and some other group content with userB. Check that the nodes have been correctly assigned to its group.
6) Create a new view which displays "Group Content" and show the titles of the new nodes.

The expectation is that userA will see only group content from GroupA, while userB will see group content only from GroupB. However, due to views caching both users will see the same results, which will be either the contents of the GroupA or the contents of groupB depends on which user first accessed the view.

PS1: If I perform a cache rebuild, then the view is updated and show correct results, but if it is accessed again, it is not updated.
PS2: If I disable views caching, everything works as expected.
PS3: If I list "Nodes" instead of "Group Content" in the view, everything works as expected with the views cache enabled.

🐛 Bug report
Status

Active

Version

3.2

Component

Code

Created by

than_nak87

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 7 months ago
    🇨🇦Canada liquidcms

    A few years later.. but same issue.

    D9.5.11/G3.2.1

    A (content/node) view listing a member's articles. Some in group, some not in group. The member can see both group and non-group content authored by the member; but the group admin cannot see the member's group articles (or their non group articles, but that part is correct).

  • Comment 7 months ago
    🇨🇦Canada liquidcms

    I think John's comment above that this has noting to do with views caching is correct. But i am not sure the answer is to make this a group content view and add in node context. My guess is this is fine for a view of only group content. My use case is users have a mix of group and non-group content. I think that solution breaks this.

    What is likely needed is for my view to be a node view (since i am listing nodes), which then seems to be unaware of group limited node access, and then add something to give it group context so it can include group permissions limiting node access.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024