Rewritten links do not check access

Created on 11 October 2024, 2 months ago

Problem/Motivation

Link paths in "Rewrite results", "Output this field as a custom link" are not checked for the viewers access, and they are shown fields as links that go to 403 Access Denied pages.

Thought this was only rewritten links, but i get the same thing in a commerce order view with "Link to the Order", it uses the admin path for the order for which regular users get access denied, yet they are still shown the link.

Steps to reproduce

  • Create a view with fields including a text field.
  • Configure the field to Rewrite results, Output this field as a custom link, admin/modules
  • View this view as a user which does not have administer modules permission.

Proposed resolution

Internal paths here should be treated the same way as internal paths in menu links— or almost the same, rather than the entire link and text being gone, the text should remain but be unlinked.

If this is not feasible, we should add help text indicating that it won't work the way internal links work elsewhere in Drupal.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

views.module

Created by

🇺🇸United States mlncn Minneapolis, MN, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mlncn
  • 🇳🇱Netherlands Lendude Amsterdam

    Not sure if this is a bug, think this is pretty much by design, so I'd say a feature request, but ¯\_(ツ)_/¯

    Caching the View might become tricky cause that would potentially depend on permissions depending what the rewrite would lead to.

  • 🇮🇳India nmudgal

    Just my two cents on this: The issue with rewritten links in Drupal Views showing 403 "Access Denied" pages is actually quite common and might not technically be a bug—it’s likely more of a design choice. Here’s why:

    1. Flexibility in Views

    Drupal Views is designed to be flexible. It allows you to rewrite fields and link to any path you choose. Because Views doesn’t inherently know what permissions are required for each custom path you add, it doesn’t automatically check user access on those links. This gives site builders the freedom to link to internal or external paths without restrictions, even if it results in access-denied pages for certain users.

    2. Impact on Caching

    If Views were to check access on each rewritten link, caching would become much more complex. Caching in Views is optimized for performance, assuming that the rendered content is accessible to the user requesting it. If access checks were enforced, Views would need to account for individual user permissions on each item, which could lead to different cache versions per user. This would be quite demanding and could impact performance.

    3. Difference from Menus

    In Drupal, menu links are subject to access checks because they’re core navigation items. In contrast, fields and custom links in Views are treated more like display elements, where access checks aren’t applied automatically. This setup keeps Views lightweight and fast, even if it occasionally means users might see 403 errors on links.

    4. Possible Solutions

    • Help Text: Adding help text in the Views UI could help clarify that custom links won’t behave exactly like internal menu links and could lead to access-denied pages if users lack permissions.
    • Conditional Access Checks: For more control, we can add conditional fields or permissions checks in Views configurations or custom code to make links visible only when users have the right permissions.
Production build 0.71.5 2024