[5.x] Don't expose unviewable taxonomy columns via relationship listing

jasonvarga · claude · jasonvarga · commit bd528dc899d7 · 2026-05-22T16:36:20.000-04:00
Mirrors the collection fix: term relationship columns are now derived only
from taxonomies the user can view, falling back to the default columns
otherwise.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Fieldtypes/Terms.php b/src/Fieldtypes/Terms.php
@@ -291,21 +291,32 @@ private function getViewableTaxonomies(array $taxonomies): Collection
 
     public function getResourceCollection($request, $items)
     {
-        // With no viewable taxonomies we return empty data and, crucially, no columns. The
-        // columns would otherwise be derived from the first configured taxonomy's blueprint,
-        // which the user isn't allowed to view.
-        if ($this->getViewableTaxonomies($this->getConfiguredTaxonomies())->isEmpty()) {
+        // Derive columns only from a taxonomy the user can view. With none viewable, return
+        // empty data and no columns rather than leaking the structure of an unviewable blueprint.
+        if (! $taxonomy = $this->getColumnTaxonomy($request)) {
             return JsonResource::collection($items)->additional(['meta' => ['columns' => []]]);
         }
 
         return (new TermsResource($items, $this))
-            ->blueprint($this->getBlueprint($request))
-            ->columnPreferenceKey("taxonomies.{$this->getFirstTaxonomyFromRequest($request)->handle()}.columns");
+            ->blueprint($taxonomy->termBlueprint())
+            ->columnPreferenceKey("taxonomies.{$taxonomy->handle()}.columns");
+    }
+
+    protected function getBlueprint($request = null)
+    {
+        return $this->getColumnTaxonomy($request)?->termBlueprint();
     }
 
-    protected function getBlueprint($request)
+    protected function getColumnTaxonomy($request = null)
     {
-        return $this->getFirstTaxonomyFromRequest($request)->termBlueprint();
+        $taxonomy = $this->getFirstTaxonomyFromRequest($request);
+
+        // Only derive columns from a taxonomy the user can view. If the first configured
+        // taxonomy isn't viewable, fall back to the first viewable configured taxonomy,
+        // or none at all when the user can view none of them.
+        return User::current()->can('view', $taxonomy)
+            ? $taxonomy
+            : $this->getViewableTaxonomies($this->getConfiguredTaxonomies())->first();
     }
 
     protected function getFirstTaxonomyFromRequest($request)
diff --git a/tests/Feature/Fieldtypes/RelationshipFieldtypeTest.php b/tests/Feature/Fieldtypes/RelationshipFieldtypeTest.php
@@ -3,6 +3,7 @@
 namespace Tests\Feature\Fieldtypes;
 
 use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\Blueprint;
 use Statamic\Facades\Collection;
 use Statamic\Facades\Entry;
 use Statamic\Facades\Form;
@@ -199,6 +200,74 @@ public function it_returns_an_empty_listing_when_the_user_cannot_view_any_of_the
         $this->assertEmpty($response->json('meta.columns'));
     }
 
+    #[Test]
+    public function it_does_not_expose_columns_from_an_unviewable_taxonomy_blueprint()
+    {
+        Taxonomy::make('secret')->title('Secret')->save();
+        Taxonomy::make('topics')->title('Topics')->save();
+        Blueprint::make('secret')
+            ->setNamespace('taxonomies.secret')
+            ->setContents(['fields' => [
+                ['handle' => 'classified', 'field' => ['type' => 'text']],
+            ]])
+            ->save();
+        Blueprint::make('topics')
+            ->setNamespace('taxonomies.topics')
+            ->setContents(['fields' => [
+                ['handle' => 'summary', 'field' => ['type' => 'text']],
+            ]])
+            ->save();
+
+        // The user can view the second configured taxonomy but not the first.
+        $this->setTestRoles(['test' => ['access cp', 'view topics terms']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $config = base64_encode(json_encode([
+            'type' => 'terms',
+            'taxonomies' => ['secret', 'topics'],
+        ]));
+
+        $response = $this
+            ->actingAs($user)
+            ->getJson("/cp/fieldtypes/relationship?config={$config}")
+            ->assertOk();
+
+        $columns = collect($response->json('meta.columns'))->pluck('field')->all();
+
+        // Columns come from the viewable taxonomy, never the unviewable first one.
+        $this->assertNotContains('classified', $columns);
+        $this->assertContains('summary', $columns);
+    }
+
+    #[Test]
+    public function an_authorized_user_still_gets_the_full_taxonomy_columns()
+    {
+        Taxonomy::make('secret')->title('Secret')->save();
+        Blueprint::make('secret')
+            ->setNamespace('taxonomies.secret')
+            ->setContents(['fields' => [
+                ['handle' => 'classified', 'field' => ['type' => 'text']],
+            ]])
+            ->save();
+
+        $this->setTestRoles(['test' => ['access cp', 'view secret terms']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $config = base64_encode(json_encode([
+            'type' => 'terms',
+            'taxonomies' => ['secret'],
+        ]));
+
+        $response = $this
+            ->actingAs($user)
+            ->getJson("/cp/fieldtypes/relationship?config={$config}")
+            ->assertOk();
+
+        $columns = collect($response->json('meta.columns'))->pluck('field')->all();
+
+        $this->assertContains('classified', $columns);
+    }
+
     #[Test]
     public function it_scopes_collection_listing_to_viewable_collections()
     {
