Account created on 28 May 2008, over 16 years ago
#

Recent comments

🇩🇪Germany manuelBS

@rcross but why in the view project? This is really related to core.

🇩🇪Germany manuelBS

As patch #149 works for my use cases perfectly in D7 on mysql but cannot be applied to the latest 7.25 release, here is the patch rerolled if anybody else needs it.

🇩🇪Germany manuelBS

I tested the patch at #149 and it also worked great for me. Thanks!

🇩🇪Germany manuelBS

Sorry bad fault ;-) Here is the patch again. I hope it works now @freelock thanks for your help.
Does http://drupal.org/node/1349080#comment-7141442 not explain my thoughts or do you think these thought are not always right and open other issues?

🇩🇪Germany manuelBS

Instead of checking for an empty join type we should probably check for an INNER join type, as then we want to handle it the strict way.

as @dawehner wrote works form me. And in my opinion this makes sence to check

if (empty($tableinfo['join type']) || $tableinfo['join type'] == 'INNER') {

cause in case of an inner join (when for axample a relationship is required) we need to have access check with

$query->exists($subquery);

To ensure that the user has access to the referenced nodes.
I added tha patch to this comment

🇩🇪Germany manuelBS

Now I tried to backport the patch from #119 to D7. But there still seams to be a problem whit entities in a view in the fallowing use case. Before I create a test case, I want to make sure that the problem is related to this issue:

I have a "self made" entity that references a node just be putting the nodes nid into the entity tabel (no reference field). Then I added this relationship in hook_views_data.
In my view I show the "self made" entities and I added the relation to the referenced node, the relation is required.
I make sure that I dont have access to all referenced nodes. If I apply the patch, I see all the "self made" entities in the view. If I don't apply the patch, these entities that reference a node where I don't have access to, are not shown in the view (but of course then the initial issue occurs again). But as I understand, the query should check access to related nodes if "the relationship" is required.

🇩🇪Germany manuelBS

It seams to me that 7.x patch http://drupal.org/node/1349080#comment-6384002 #89 has a security problem because when I show entities in a view that reference other entities and I check "require this relationship", i see the entities even if i don't have access to the referenced entities.

Production build 0.71.5 2024