[5.x] Don't expose unviewable collection columns via relationship preload

jasonvarga · claude · jasonvarga · commit a68c1193eafe · 2026-05-22T16:29:28.000-04:00
Relationship preload derived listing columns from the configured collection's
blueprint without authorizing it, exposing column metadata via the field-meta
endpoint. Columns are now derived only from collections the user can view,
falling back to the default columns otherwise.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Fieldtypes/Entries.php b/src/Fieldtypes/Entries.php
@@ -181,24 +181,35 @@ private function getViewableCollections(array $collections): SupportCollection
 
     public function getResourceCollection($request, $items)
     {
-        // With no viewable collections we return empty data and, crucially, no columns. The
-        // columns would otherwise be derived from the first configured collection's blueprint,
-        // which the user isn't allowed to view.
-        if ($this->getViewableCollections($this->getConfiguredCollections())->isEmpty()) {
+        // Derive columns only from a collection the user can view. With none viewable, return
+        // empty data and no columns rather than leaking the structure of an unviewable blueprint.
+        if (! $collection = $this->getColumnCollection($request)) {
             return JsonResource::collection($items)->additional(['meta' => ['columns' => []]]);
         }
 
         return (new EntriesFieldtypeEntries($items, $this))
-            ->blueprint($this->getBlueprint($request))
-            ->columnPreferenceKey("collections.{$this->getFirstCollectionFromRequest($request)->handle()}.columns")
+            ->blueprint($collection->entryBlueprint())
+            ->columnPreferenceKey("collections.{$collection->handle()}.columns")
             ->additional(['meta' => [
                 'activeFilterBadges' => $this->activeFilterBadges,
             ]]);
     }
 
     protected function getBlueprint($request = null)
     {
-        return $this->getFirstCollectionFromRequest($request)->entryBlueprint();
+        return $this->getColumnCollection($request)?->entryBlueprint();
+    }
+
+    protected function getColumnCollection($request = null)
+    {
+        $collection = $this->getFirstCollectionFromRequest($request);
+
+        // Only derive columns from a collection the user can view. If the first requested or
+        // configured collection isn't viewable, fall back to the first viewable configured
+        // collection, or none at all when the user can view none of them.
+        return User::current()->can('view', $collection)
+            ? $collection
+            : $this->getViewableCollections($this->getConfiguredCollections())->first();
     }
 
     protected function getFirstCollectionFromRequest($request)
@@ -468,18 +479,22 @@ public function toGqlType()
 
     public function getColumns()
     {
-        if (count($this->getConfiguredCollections()) === 1) {
-            $columns = $this->getBlueprint()->columns();
+        // Don't derive columns from a blueprint the user can't view; fall back to the
+        // default columns when none of the configured collections are viewable.
+        if (! $collection = $this->getColumnCollection()) {
+            return parent::getColumns();
+        }
+
+        $columns = $collection->entryBlueprint()->columns();
 
+        if (count($this->getConfiguredCollections()) === 1) {
             $this->addColumn($columns, 'status');
 
-            $columns->setPreferred("collections.{$this->getConfiguredCollections()[0]}.columns");
+            $columns->setPreferred("collections.{$collection->handle()}.columns");
 
             return $columns->rejectUnlisted()->values();
         }
 
-        $columns = $this->getBlueprint()->columns();
-
         if ($this->canSelectAcrossSites()) {
             $this->addColumn($columns, 'site');
         }
diff --git a/tests/Feature/Fields/MetaControllerTest.php b/tests/Feature/Fields/MetaControllerTest.php
@@ -5,6 +5,7 @@
 use Illuminate\Support\Facades\Storage;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Facades\AssetContainer;
+use Statamic\Facades\Blueprint;
 use Statamic\Facades\Collection;
 use Statamic\Facades\Role;
 use Statamic\Facades\User;
@@ -121,6 +122,58 @@ public function a_super_admin_gets_full_data_for_policy_less_types_through_prelo
         $this->assertNull($response->json('meta.data.0.invalid'));
     }
 
+    #[Test]
+    public function it_does_not_expose_columns_from_an_unviewable_collection_blueprint()
+    {
+        Collection::make('secret')->title('Secret')->save();
+        Blueprint::make('secret')
+            ->setNamespace('collections.secret')
+            ->setContents(['fields' => [
+                ['handle' => 'classified', 'field' => ['type' => 'text']],
+            ]])
+            ->save();
+
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $response = $this->fieldMeta($user, [
+            'handle' => 'related',
+            'type' => 'entries',
+            'collections' => ['secret'],
+        ], [])->assertOk();
+
+        $columns = collect($response->json('meta.columns'))->pluck('field')->all();
+
+        // Only the default columns, never the unviewable blueprint's fields.
+        $this->assertNotContains('classified', $columns);
+        $this->assertEquals(['title'], $columns);
+    }
+
+    #[Test]
+    public function an_authorized_user_still_gets_the_full_collection_columns_via_preload()
+    {
+        Collection::make('news')->title('News')->save();
+        Blueprint::make('news')
+            ->setNamespace('collections.news')
+            ->setContents(['fields' => [
+                ['handle' => 'intro', 'field' => ['type' => 'text', 'listable' => true]],
+            ]])
+            ->save();
+
+        $this->setTestRoles(['test' => ['access cp', 'view news entries']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $response = $this->fieldMeta($user, [
+            'handle' => 'related',
+            'type' => 'entries',
+            'collections' => ['news'],
+        ], [])->assertOk();
+
+        $columns = collect($response->json('meta.columns'))->pluck('field')->all();
+
+        $this->assertContains('intro', $columns);
+    }
+
     #[Test]
     public function it_gates_assets_through_the_preload_path()
     {
