Describe the bug:
Field of type reference restricted to specific model allows to choose entry from different model if user has no access to the model which it should be restricted to.
To simplify: There is model “model-a” which can be only accessed by Admin. There is some custom component with field of type reference with restriction to use only model “model-a” e.g:
{
name: “referenceToModelA”,
type: “reference”,
model: “model-a”
}
Then user who is not admin and has no access to the model “model-a” clicks button to select entry of the reference. This user can see list of entries which aren’t model “model-a”.
To Reproduce
Steps to reproduce the behavior:
- In Builder create model and restrict it only for some specific role
- Create custom component with reference field and restrict this field to the created model
- Log in to Builder on account which has not access to the created model
- Put created custom component on the page and select reference
- You can see list of entries which are not from the model you specified
Expected behavior
User without the access to the model shouldn’t see entries from model which is different from specified.
Maybe there should be some information that this user cannot change the reference because this user has no access to the model.
Maybe user should not be able to change value of this field because this user has no access to the model.
