Views checks the session for exposed filters when it shouldn't

Open on Drupal.org →

Created on 9 January 2025, about 2 months ago

Problem/Motivation

Discovered in 📌 Search must be indexed after recipe is applied Active .

automated_cron runs at the end of request, after the session is closed.

Views can use session storage to set default values of exposed input.

Views can also be search indexed if they're rendered as part of rendering a node (or any search indexing that ends up rendering views).

However, ViewsExecutable happily checks session information when rendering - this could theoretically mean that an individual user's saved filter settings would influence what gets search indexed, which should not happen. Either way, it results in headers already sent with automated cron.

It also looks like ViewsExecutable does this for anonymous users even when the view isn't configured to do so.

e.g. FilterPluginBase checks roles, ViewExecutable doesn't.

At a minimum, ViewExecutable should not be checking the session when the view isn't configured for it.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

views.module

Created by

🇬🇧United Kingdom catch

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @catch
Comment about 2 months ago →
🇬🇧United Kingdom catch
According to 📌 Search must be indexed after recipe is applied Active this is causing PHP warnings in Drupal CMS, so tagging.
Comment about 2 months ago →
🇳🇱Netherlands Lendude Amsterdam
Is this a duplicate of 🐛 Views exposed filter reset creates session for anonymous Active or just similar?
Comment about 2 months ago →
🇬🇧United Kingdom catch
It's similar to that issue but different code in a different class altogether.
Comment 21 days ago →
🇬🇧United Kingdom catch
I opened another duplicate of this issue because I couldn't find it and forgot about opening, but that issue is a bit better written up, so closing this one instead 🐛 ViewExecutable should not be responsible for parsing exposed input Active
Comment 21 days ago →
🇬🇧United Kingdom catch
Actually these are two different issues just the same code, re-opening.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024