The "Private" field permission plugin defines itself as "Only author and administrators can edit and view." For entities, like Blocks, that don't have an author, I would think that a field marked "Private" would only be available to edit or view if you were an administrator, and it would just ignore the "author" part. But instead, Block fields marked "Private" are available to all users to view and (for roles with the edit permission on the block) edit. That's because the default return is "TRUE" here: https://git.drupalcode.org/project/field_permissions/-/blob/8.x-1.x/src/...
1. Add a custom "Testing" block type with two fields - the Body, and a text field marked with some name like "I'm private"
2. Make the "I'm private" field a Private field.
3. Create a new "Testing" block and add it to the page using Block Layout. Put a value in both the Body field and the "I'm private" field.
4. Visit the page as an anonymous user. See both fields in the block, when I'd expect you to only see the Body field value.
The simple solution would be to default to FALSE instead of TRUE here: https://git.drupalcode.org/project/field_permissions/-/blob/8.x-1.x/src/.... But is that really the answer? How has this not come up for other people before? What might changing this break?
I suppose, alternatively we could change the description of this plugin to be something like "Only author and administrators can edit and view. If there is no author for this entity, this is the same as Not Set."
- Figure out the way forward & submit a patch
- If changing the return value to "False" instead of "True", fix the tests.
TBD
Needs review
1.0
User interface
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.