Can a view be accessed if there's no page or block?

mbomb007

5/18/24, 2:59 PM

The following question may seem contrived, but I have custom access controls besides roles and permissions, so I can place view blocks on pages that are viewable by users in a list, for example.

If I create a view with a default and a block display that has "role: authenticated" access requirement, then I place the block on a page only admins can see, is there a way for regular "authenticated" users to see the view? For example, is there some AJAX URL they could enter to see it?

For security reasons, I need to know if there is some way they could see the data. If so, then I need to create a custom view access plugin.

1 + 2

views

Kevin

5/18/24, 3:03 PM

Not sure I follow, a View, embedded or otherwise, will enforce the access restrictions configured for it when executed. The only way a View would be exposed from a security misconfiguration is to have a View URL not behind /admin and or not have enough role based restriction on that route and someone types it in. Conventional wisdom is to use proper roles and ACL and not just rely on the 'authenticated' role everyone gets.

mbomb007

5/18/24, 4:10 PM

@Kevin Yes, but like I said, the site I'm working on doesn't use roles for most authentication.

Score:2

Drupal

Jaypan

5/18/24, 3:34 PM

If the view does not have a page display, then there is no path by which it can be accessed. It cannot be guaranteed that it won't be made available by some contributed module or custom module through an Ajax call, but by default, it won't be accessible to authenticated users if they are not able to access the page the block is on, even when the block itself is visible to authenticated users.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can a view be accessed if there's no page or block?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.