Export and access checks

Created on 1 March 2023, about 2 years ago
Updated 4 October 2023, over 1 year ago

Problem/Motivation

Despite 🐛 Fix incorrect access check in WebformSubmissionExporter::generate Fixed being fixed, our tests on 6.1 started failing again. Looks like I didn't properly investigate that last time.

I did some digging and the situation is a bit a mess and currently inconsistent between 6.1 and 6.2:

git diff 6.1.x..6.2.x src/WebformSubmissionExporter.php
[...]
   public function generate() {
-    $entity_ids = $this->getQuery()->accessCheck(TRUE)->execute();
+    $entity_ids = $this->getQuery()->execute();
     $webform_submissions = WebformSubmission::loadMultiple($entity_ids);
 
     $this->writeHeader();
@@ -911,7 +949,10 @@ class WebformSubmissionExporter implements WebformSubmissionExporterInterface {
     $webform = $this->getWebform();
     $source_entity = $this->getSourceEntity();
 
-    $query = $this->getSubmissionStorage()->getQuery()->condition('webform_id', $webform->id());
+    $query = $this->getSubmissionStorage()
+      ->getQuery()
+      ->accessCheck(FALSE)
+      ->condition('webform_id', $webform->id()); 

This isn't good.

The exporter used to have this snippet:

// Do not check access to submission since the exporter UI and Drush
// already have access checking.
// @see webform_query_webform_submission_access_alter()
$query->accessCheck(FALSE);

But this was removed in #3302623: Disabling the access check in WebformSubmissionExporter bypasses domain .

Then, 6.2.x D10 compatibility work happened and was partially backported to 6.1.x. I then reported 🐛 Fix incorrect access check in WebformSubmissionExporter::generate Fixed which I noticed on 6.2 but actually not _only_ a D10 porting issue, I wasn't aware of the domain issue. That removed the accessCheck(TRUE) and kept the one on FALSE, but that accessCheck(FALSE) was not backported to 6.1. Then 🐛 Webform 6.1.4 breaks drush data export Fixed re-added it on both branches, but only for CLI.

That means that currently on 6.2, access checks are always disabled and on 6.1 only on CLI.

To be honest, I'm unsure if the exporter should ever assume that access checks shouldn't be done or at least it should expose that decision and not hardcode it. See proposed solution.

Steps to reproduce

Proposed resolution

Add a new public method on the exporter that allows to explicitly disable access checks, default to doing access checks. The drush integration should then disable it. Our own integration that does the partial export for usually-not-authorized-users will need to be adjusted too but I can live with that.

Note that this the combination of using domain module *and* drush is going to be weird then, as it will not be domain-limited, but I'm not sure what the expectation in that situation even is. An alternative would be to always do access checks, but have an additional query metadata property that allows to skip only your own access check.

6.1 and 6.2 will need different patches then to align them again.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Fixed

Version

6.2

Component

Code

Created by

🇨🇭Switzerland berdir Switzerland

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024