Authorize relationship fieldtype data

duncanmcclean · claude · duncanmcclean · commit 33a96cd1854f · 2026-05-26T08:54:58.000+01:00
Add authorization checks to Runway's relationship fieldtypes to align
with Statamic CMS PRs #14718 and #14719. Users without view permission
for a resource will now see an empty picker and invalid placeholders
for existing selections they can't access.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/composer.json b/composer.json
@@ -46,7 +46,7 @@
         "pixelfear/composer-dist-plugin": "^0.1.5",
         "spatie/error-solutions": "^1.0 || ^2.0",
         "spatie/invade": "^2.1",
-        "statamic/cms": "^6.17",
+        "statamic/cms": "^6.20",
         "stillat/proteus": "^4.2.1"
     },
     "require-dev": {
diff --git a/src/Fieldtypes/BaseFieldtype.php b/src/Fieldtypes/BaseFieldtype.php
@@ -13,6 +13,7 @@
 use Statamic\Facades\Blink;
 use Statamic\Facades\Scope;
 use Statamic\Facades\Search;
+use Statamic\Facades\User;
 use Statamic\Fieldtypes\Relationship;
 use Statamic\Http\Requests\FilteredRequest;
 use Statamic\Query\OrderBy;
@@ -187,6 +188,10 @@ public function process($data)
 
     public function getIndexItems($request)
     {
+        if (! User::current()?->can('view', $this->resource())) {
+            return collect();
+        }
+
         $query = $this->getIndexQuery($request);
 
         $this->applyOrderingToIndexQuery($query, $request);
@@ -383,6 +388,11 @@ protected function getColumns()
             ->values();
     }
 
+    protected function authorizeItemData($id): bool
+    {
+        return (bool) User::current()?->can('view', $this->resource());
+    }
+
     protected function toItemArray($id)
     {
         $resource = Runway::findResource($this->config('resource'));
diff --git a/tests/Fieldtypes/BelongsToFieldtypeTest.php b/tests/Fieldtypes/BelongsToFieldtypeTest.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Facades\Config;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Facades\Blink;
+use Statamic\Facades\User;
 use Statamic\Fields\Field;
 use Statamic\Http\Requests\FilteredRequest;
 use StatamicRadPack\Runway\Fieldtypes\BelongsToFieldtype;
@@ -26,6 +27,8 @@ protected function setUp(): void
     {
         parent::setUp();
 
+        $this->actingAs(User::make()->makeSuper()->save());
+
         $this->fieldtype = tap(new BelongsToFieldtype)
             ->setField(new Field('author', [
                 'max_items' => 1,
diff --git a/tests/Fieldtypes/HasManyFieldtypeTest.php b/tests/Fieldtypes/HasManyFieldtypeTest.php
@@ -10,6 +10,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Facades\Blink;
 use Statamic\Facades\Entry;
+use Statamic\Facades\User;
 use Statamic\Fields\Field;
 use Statamic\Http\Requests\FilteredRequest;
 use Statamic\Testing\Concerns\PreventsSavingStacheItemsToDisk;
@@ -29,6 +30,8 @@ protected function setUp(): void
     {
         parent::setUp();
 
+        $this->actingAs(User::make()->makeSuper()->save());
+
         $this->fieldtype = tap(new HasManyFieldtype)
             ->setField(new Field('posts', [
                 'mode' => 'stack',
diff --git a/tests/__fixtures__/revisions/resources/post/1/1779782016.yaml b/tests/__fixtures__/revisions/resources/post/1/1779782016.yaml
@@ -0,0 +1,18 @@
+action: unpublish
+date: 1779782016
+user: b59044c1-59a0-47d9-87ff-beb4d95deffe
+message: 'Live live live!'
+attributes:
+  id: 1
+  published: false
+  data:
+    title: 'ut ut quod non vel inventore'
+    slug: ut-ut-quod-non-vel-inventore
+    body: 'Consequuntur ut debitis sint numquam ipsum. Consequatur omnis voluptatum ut sapiente sint consectetur. Dolore quos in molestiae earum perferendis dolorum. Magnam quasi maxime qui deleniti. Voluptas voluptatem laudantium mollitia vel omnis. Aut voluptatem dolorem placeat quia eum alias inventore. Cumque vel voluptatem sunt et. Ut maxime quis omnis ut libero. Eaque qui explicabo pariatur exercitationem in aut soluta. Ratione voluptates temporibus ut et facilis necessitatibus. Rerum dolorem sit commodi est minima. Quam minus quia porro consequatur. Veritatis ad ea aliquid tempore asperiores. Ea reiciendis omnis consectetur impedit. Distinctio vero autem necessitatibus tempore voluptatum ad eos. Voluptas sint quae et ea suscipit cumque. Et vel hic nihil. Perferendis debitis non est voluptatem corrupti. Doloribus vel nostrum consequatur quas sint et ipsa. Dolore aliquam enim voluptatem vel omnis ducimus nulla quos. Voluptatem voluptates quas ducimus iusto. Qui ut ea autem facere accusamus est non. Ut iste nisi vel consequatur sit voluptas necessitatibus non. Numquam officia dolores quod blanditiis. Nam temporibus cum ut optio. Voluptas occaecati minus consequatur iusto. Ipsa aliquam sed qui. Veritatis nihil dolores officia vitae. Aliquid velit sed est dolores itaque omnis dolorem. Earum minus quas voluptas repudiandae adipisci. Autem est dolores nemo ut. Alias quos corrupti corporis magnam adipisci quaerat. Nemo id exercitationem voluptatem aliquid consequuntur necessitatibus vero. Fuga non velit architecto consequatur. Ut quam magnam qui perspiciatis rem soluta et consequatur.'
+    excerpt: 'This is an excerpt.'
+    author_id: 1
+    start_date: '2026-05-26 07:53:36'
+    end_date: null
+    membership_status: null
+    values: null
+    external_links: null
