Confirmed. Field is always shown, independend of which Acces-Level is set.

The Access Level is working only for the INPUT field i think?

Can you please try with a user that isn't allow to manage the fields (actually doesn't have global "core.admin" permission)? Because the ACL check is skipped for those.

@Bakual then the field is indeed not displayed if you login. So it indeed seems to be an issue when you have "core.admin" permissions.

Good. That doesn't mean the code is correct but it explains the behaviour ?
The code in question is https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_fields/models/fields.php#L230-L235

We need that check because we use the same model in frontend and backend. And we obviously need to be able to see fields with access level "guest" in backend ?
I'm not sure if that could be solved easy somehow. Maybe with an additional check for the application (site vs administrator)?

@Bakual guess the easiest solution would be indeed to do an application check.

What happens when somebody doesn't have view access but can edit the field, should the field then be visible when editing an article?

Try to keep it consistent with other places in the CMS. Eg look what happens if a user isn't set to see an article but could edit it.

I made a test and could successfully edit an article I don't have the necessary access level. So when we can agree that in fields it will be the same that the access level is not checked when editing an article then I can do a pr for it. But first I would like to get a confirmation for it. @sanderpotjer what do you think about that?

I would like to get that solved, any opinions about the proposal to make it work the same way as with articles?

Should we label this one as release blocker?

Y4s

I made a test and could successfully edit an article I don't have the necessary access level.

What does that exactly mean?

@sanderpotjer Can you give your inputs one Allons question?

@zero-24 That I logged in as a user which does belong to the Registered user group only. I gave an article edit permission for the Registered groups. On the front, I logged in as that user and started to edit an article. Then I set the access level of that article to special in the back end. On the front where I'm logged in as registered user I hit the F5 button. I'm still able to save the article, despite the fact that I don't have the right access level.

Imho F5 on the edit view does bypass some checks since you have the flag already set in the session. A more appropriate test would be to use the original "&task=edit" link on an article you haven't edited yet in that session.

@laoneo please implement it in the way it is done in other areas so that we can merge it after RC3, don't wait any time longer on Sander

removed release blocker, because it is not critical, to get the information you just need to log out and get it. The way around would be a bigger problem

Closing as we have a PR to test: #15365