EntityReferenceLabelFormatter returns a link even if the user only have "view label" access

AuthorFormatter might have save bug.

AuthorFormatter might have same bug.

It should not ... \Drupal\user\Plugin\Field\FieldFormatter\AuthorFormatter::checkAccess()

lukasss → changed the visibility of the branch 3293287-entityreferencelabelformatter-returns-a to hidden.

I wonder if $entity->toUrl()->access() is more appropriate here than $entity->access('view').

lukasss → changed the visibility of the branch 3293287- to hidden.

lukasss → changed the visibility of the branch 11.x to hidden.

If an entity type doesn't have any link templates.
We get: Cannot generate default URL because no link template 'canonical' or 'edit-form' was found for the 'entity_test_label' entity type

There is a test that checks this.
https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/field...

Have not yet review but issue summary appears to be incomplete. Bugs should contain steps to reproduce and proposed solution. If other sections don't apply N/A is fine.

Re #18. It happens without this MR as well. Right?

@chi yes, that's right

There is conflict on MR so I have implement code here, please update this on MR , below error is displaying on MR
Conflict: This file was modified in both the source and target branches. Ask someone with write access to resolve it.

To resolve the issue where the EntityReferenceLabelFormatter improperly renders links to entities when the user has "view label" access but not "view" access, we need to add an additional access check within the viewElements() function. Specifically, we should ensure that the link is rendered only if the user has both "view label" and "view" access to the entity.

/**
   * {@inheritdoc}
   */
  public function viewElements(FieldItemListInterface $items, $langcode) {
    $elements = [];
    $output_as_link = $this->getSetting('link');

    foreach ($this->getEntitiesToView($items, $langcode) as $delta => $entity) {
      $label = $entity->label();
      // Check if the user has "view label" access.
        if ($entity->access('view label')) {
            $uri = NULL;
      // If the link is to be displayed, ensure "view" access as well.
      if ($output_as_link && !$entity->isNew() && $entity->access('view')) {
                try {
                    $uri = $entity->toUrl();
                }
        catch (UndefinedLinkTemplateException $e) {
          // This exception is thrown by \Drupal\Core\Entity\Entity::urlInfo()
          // and it means that the entity type doesn't have a link template nor
          // a valid "uri_callback", so don't bother trying to output a link for
          // the rest of the referenced entities.
          $output_as_link = FALSE;
        }
      }

      if ($output_as_link && isset($uri) && !$entity->isNew()) {
        $elements[$delta] = [
          '#type' => 'link',
          '#title' => $label,
          '#url' => $uri,
          '#options' => $uri->getOptions(),
        ];

        if (!empty($items[$delta]->_attributes)) {
          $elements[$delta]['#options'] += ['attributes' => []];
          $elements[$delta]['#options']['attributes'] += $items[$delta]->_attributes;
          // Unset field item attributes since they have been included in the
          // formatter output and shouldn't be rendered in the field template.
          unset($items[$delta]->_attributes);
        }
      }
      else {
        $elements[$delta] = ['#plain_text' => $label];
      }
      $elements[$delta]['#entity'] = $entity;
      $elements[$delta]['#cache']['tags'] = $entity->getCacheTags();
    }

    return $elements;
  }

Key Changes Made

1. Added view label Access Check:

• Before rendering anything, ensure the user has at least "view label" access to the entity.
  

  if ($entity->access('view label')) { ... }
  

2. Added view Access Check for Links:

• Ensure that links are rendered only if the user has both "view label" and "view" access to the entity.

if ($output_as_link && !$entity->isNew() && $entity->access('view')) { ... }

Testing the Changes

Scenario 1: User with Both "view label" and "view" Access

• Expect the label to render as a clickable link to the entity's canonical page.

Scenario 2: User with Only "view label" Access

• Expect the label to render as plain text, with no clickable link.

Scenario 3: User with No Access

• Expect no label to be rendered for entities the user lacks access to.

kumudb → changed the visibility of the branch 3293287-entityreferencelabelformatter-doesnt-have-view-entity-access to hidden.

I think this issue can be closed.

Latest changes:

https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co...

https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/media...