Problem/Motivation
Views uses EntityViewsData and sub-classes to generate views data for entity base fields.
The bulk of these use the 'standard' plugin which extends from HandlerBase.
HandlerBase::access does not respect field level access.
As a result no field level-access is applied for entity base when used in views.
Patch demonstrates that comment's hostname field level access isn't respected.
Proposed resolution
Make the 'standard' plugin defer to the relevant entity access controller.
Remaining tasks
Patch
Review
User interface changes
none
API changes
none
Beta phase evaluation
| Issue category | Bug because if you implement an access plugin to define field level access, you'd expect views to respect it |
|---|---|
| Issue priority | Critical because security |