##pnx-sprint

quietone → closed merge request !3529

Once we have 🐛 Views handler loading should respect configuration Needs review and ✨ Configurable views filters to allow for different widgets Active in so Views filtering allows selection of which widget to use stopping us having the problems described in #215 and #225 by allowing this to be a new filter (and potentially in a follow-up deprecating the old filter)?

Committed and pushed 68013115a83 to 11.x and c3a9311a660 to 11.1.x. Thanks!

> That route has the _csrf_token requirement. That gets removed by the array_diff in AccessManager::check because there is no request, which the csrf_token requirement needs.

We tried the patch and did just run into this as well.

On one hand, I think that can be improved in masquerade and is arguably even a bug. The controller still checks access, so it's not a security issue.. masquerade_target_user_access() or masquerade_switch_user_validate() really should be exposed as an access check and the route should not _only_ have the csrf access check.

But I'm also not sure that the approach here is correct. It's kind a neat to fall back to the url access, but probably also has some performance overhead, because it involves creating route matches and lookups and directly doing access checks on the entity really should be faster. And it's an implicit API change anyway because all implementations need to now always return their URL.

An alternative, more "direct" approach would be to pass around a cacheability object to getDefaultOperations (tricky to add with BC) and the hook (easy to add an extra argument) and require that implementations add their access cacheability to do that and let calls deal with that. Similar to how hook_tokens() works for example.