Attached display link is shown even if validation criteria in the contextual filters fails

Created on 7 May 2024, about 2 months ago

Updated 13 May 2024, about 1 month ago

Problem/Motivation

An attached display link should not be shown when the user has no access to that attached display.
This is true when the access is restricted in the view display's access settings.
However, when the access is restricted via a validation criteria in a contextual filter, the attached display link is still shown. When clicking on the link, the user will see a 404 page.

Steps to reproduce

I did the following in a fresh standard install of Drupal 11.

Edit the frontpage view (https://d11.ddev.site/admin/structure/views/view/frontpage/edit);
Change the path to be: /node/%type and add a contextual filter for content type (all displays);
Remove the filter "Promoted to the front page" (all displays);
Create some basic pages;
Add this to your theme (for this test I'm editing "core/themes/olivero/templates/views/views-view--frontpage.html.twig"), for example above the footer section:
```
  {% if feed_icons %}
    <div class="feed-icons">
      {{ feed_icons }}
    </div>
  {% endif %}
  
```
Now, as an authenticated user, when going to https://d11.ddev.site/node/page the RSS feed link should be visible.
When clicking the RSS feed link a file should be ready to be downloaded;
Edit the frontpage view (https://d11.ddev.site/admin/structure/views/view/frontpage/edit);
Now as admin edit the frontpage view, the Feed display (https://d11.ddev.site/admin/structure/views/view/frontpage/edit/feed_1);
Click in the Contextual filter: content type and then:
- check the box for "Specify validation criteria";
- select the validator "Content type";
- check the box " Validate user has access to the Content type";
- for the Access operation to check, choose "Edit";
- on the top of the modal, choose to apply only to this feed display (override)
- and apply the changes.
Save the view.
Now, as an authenticated user, when going to https://d11.ddev.site/node/page the RSS feed link should be visible.
When clicking the RSS feed link a page 404 is shown!

The link to an inaccessible page should not be shown.

Proposed resolution

In "\Drupal\views\ViewExecutable::attachDisplays()" there is a check if the display can be accessed:
if ($display_handler->isEnabled() && $display_handler->access()) {...}

Either $display_handler->access() should return false or we need to add another check.

Remaining tasks

Investigate and fix.

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

Issue description.

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

Views →

Last updated about 5 hours ago

Maintained by
🇩🇪Germany @dawehner
🇺🇸United States @tim.plunkett
🇬🇧United Kingdom @damiankloip
🇺🇸United States @xjm
🇳🇱Netherlands @Lendude

Created by

🇵🇹Portugal dxvargas

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @dxvargas
First commit to issue fork.
Comment about 1 month ago →
🇳🇱Netherlands Lendude Amsterdam
Didn't try, but even if we would fix the access check we would then probably run into caching issues, since the validation cache contexts wouldn't bubble currently due to #3091671: Validate user has access option in contextual filter does not bubble access cacheability for views page →

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024