- Issue created by @dpi
- @dpi opened merge request.
- Issue was unassigned.
- Status changed to Needs review
over 1 year ago 11:13am 1 February 2023 - π©πͺGermany hchonov πͺπΊπ©πͺπ§π¬
larowlan β credited hchonov β .
- π¦πΊAustralia dpi Perth, Australia
It was hoisted into the security queue. @larowlan reckon we could get it reinstated?
- ππΊHungary mxr576 Hungary
Our patches from the original sec issue could be re-uploaded here, but most probably an MR would be easier for everyone. Let that be 3039 or a new one.
- π¦πΊAustralia dpi Perth, Australia
The patch was originally based of 3039.
I have the code for the MR locally. I'll push the branch as a new MR if we cant get 3039 back.
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
@drumm had to delete it from gitlab, we will need to open a new one, if you've got the branch locally please go ahead dpi
- Merge request !3531Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access β (Closed) created by dpi
- π¦πΊAustralia dpi Perth, Australia
No worries.
MR !3531 replaces !3309
- Status changed to Needs work
over 1 year ago 3:38pm 24 February 2023 - πΊπΈUnited States smustgrave
Let me know if this was a wrong way to test.
I added a user field to a content a type.
Made sure anonymous users cannot view information about user
Open private browser and I see the link to the user. This is with the patch. - π¦πΊAustralia dpi Perth, Australia
@smustgrave that might be
\Drupal\Core\Field\Plugin\Field\FieldFormatter\EntityReferenceLabelFormatter
, which also suffers the same problem in π Entity reference label formatter may render link to inaccessible entity Closed: duplicate .The solution/tests are similar. Maybe the issues should be merged?
- πΊπΈUnited States smustgrave
Would be nice. Will let you make that call as π Entity reference label formatter may render link to inaccessible entity Closed: duplicate still needs tests so wouldn't want to hold this fix up for that.
But if we keep separate how to best test this one?
- π¦πΊAustralia dpi Perth, Australia
In most cases
StringFormatter
link to the entity its attached to, so you'd need to deny access to view the canonical page. Could do this with a hook_entity_access, or regular permissions.- Add a
string
field to an entity (Text (Plain)) - Manage display
- Configure field to display
- Formatter should be
string
(labeled: "Plain text", class is StringFormatter ) - Configure formatter
- Click Link to the XYZ checkbox.
- Save.
- Add a
- First commit to issue fork.
- last update
11 months ago 29,447 pass, 4 fail - πΊπΈUnited States drumm NY, US
The fork is no longer private and should be usable as normal again.
- last update
9 months ago 29,483 pass, 4 fail - Open on Drupal.org βEnvironment: PHP 8.2 & MySQL 8last update
9 months ago Not currently mergeable. - @kksandr opened merge request.
- last update
9 months ago Custom Commands Failed - Open on Drupal.org βEnvironment: PHP 8.2 & MySQL 8last update
9 months ago Not currently mergeable. - @kksandr opened merge request.
- Merge request !4858Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access β (Closed) created by Unnamed author
- last update
9 months ago 30,206 pass, 4 fail - last update
9 months ago 29,483 pass, 4 fail - π¦πΊAustralia acbramley
@kksandr you've opened multiple MRs and uploaded multiple patches, can you please close/hide the irrelevant ones and explain your work?
@acbramley Sorry, my mistake. I updated MR to be compatible with the 11.x branch. After that, I tried to apply MR as a patch on my site (Drupal 10.1), but it did not apply, so I separately rerolled the patch for 10.1.x
- π¦πΊAustralia acbramley
@kksandr which MR is the correct one?
There was an existing one https://git.drupalcode.org/project/drupal/-/merge_requests/3531
You've created 3 more:
https://git.drupalcode.org/project/drupal/-/merge_requests/4856
https://git.drupalcode.org/project/drupal/-/merge_requests/4857
https://git.drupalcode.org/project/drupal/-/merge_requests/4858This makes it very confusing to review, please close the incorrect ones.
kksandr β changed the visibility of the branch 3336994-stringformatter-access to hidden.
kksandr β changed the visibility of the branch 3336994-stringformatter-access-r5 to hidden.
- Status changed to Needs review
19 days ago 11:40am 6 June 2024 - πΊπΈUnited States smustgrave
smustgrave β changed the visibility of the branch 3336994-stringformatter-access-r2 to hidden.
- πΊπΈUnited States smustgrave
smustgrave β changed the visibility of the branch 3336994-stringformatter-access-r2 to active.
- Status changed to RTBC
13 days ago 2:34pm 12 June 2024 - πΊπΈUnited States smustgrave
Bummer can't hide 3531 without hiding 8317 so marked in the issue summary
Ran test-only feature https://git.drupalcode.org/issue/drupal-3336994/-/jobs/1841768 which choses all the coverage
Reviewing code and changes make sense.
Only concern I suppose I would have is seeing all the test updates if this would break contrib tests potentially. But doing a deprecation not sure make sense since the link renders a 403.
LGTM
- Status changed to Needs work
6 days ago 3:27pm 19 June 2024 - πΊπΈUnited States xjm
I closed the superfluous merge request. Unfortunately, the canonical one mentioned in the IS has merge conflicts. So this needs those conflicts resolved. (To receive credit for resolving merge conflicts, the conflict and how it was resolved need to be documented on the issue.) Thanks!
- Status changed to Needs review
6 days ago 7:48pm 19 June 2024 - ππΊHungary mxr576 Hungary
git rebase origin/11.x Auto-merging core/modules/block_content/tests/src/Functional/BlockContentListViewsTest.php Auto-merging core/modules/views/tests/src/Kernel/Handler/FieldFieldTest.php CONFLICT (content): Merge conflict in core/modules/views/tests/src/Kernel/Handler/FieldFieldTest.php error: could not apply d0714b0f46... Fix failing test hint: Resolve all conflicts manually, mark them as resolved with hint: "git add/rm <conflicted_files>", then run "git rebase --continue". hint: You can instead skip this commit: run "git rebase --skip". hint: To abort and get back to the state before "git rebase", run "git rebase --abort".
Resolved conflicts caused by added void return type hints.
- Status changed to RTBC
6 days ago 8:52pm 19 June 2024