EntityQuery Access Check in node_get_recent()

Created on 30 April 2023, over 1 year ago
Updated 1 May 2023, over 1 year ago

Problem/Motivation

On Drupal 10.0, executing node_get_recent(1); anywhere in your codebase returns a fatal error:

The website encountered an unexpected error. Please try again later.

Drupal\Core\Entity\Query\QueryException: Entity queries must explicitly set whether the query should be access checked or not. See Drupal\Core\Entity\Query\QueryInterface::accessCheck(). in Drupal\Core\Entity\Query\Sql\Query->prepare() (line 141 of core/lib/Drupal/Core/Entity/Query/Sql/Query.php).
Drupal\Core\Entity\Query\Sql\Query->execute() (Line: 713)
node_get_recent(1)

This is due to CR #3201242: Access checking must be explicitly specified on content entity queries β†’ , which is now enforced in Drupal 10 by throwing an exception if ::accessCheck() is not explicitly included in any content entity queries. To be honest, this is no surprise because issue πŸ“Œ Deprecate node_get_recent() Fixed explains the situation succinctly:

node_get_recent() is unused and untested in core.

The fix in Drupal core would technically be a one-liner and might still make sense to try to get in (without tests?) while progress is made on #3356516 to remove the function completely in Drupal 11.

function node_get_recent($number = 10) {
  $account = \Drupal::currentUser();
  $query = \Drupal::entityQuery('node');
+  $query->accessCheck(FALSE);
  if (!$account->hasPermission('bypass node access')) {
    // If the user is able to view their own unpublished nodes, allow them
    // to see these in addition to published nodes. Check that they actually

Steps to reproduce

Proposed resolution

Add a call to ::accessCheck() to avoid the error. The person who authored the CR (mentioned above) seemed to suggest that ::accessCheck(FALSE) is what the default behavior implies. If you review the code of node_get_recent() it includes its own additional permissions logic, so I think FALSE is safe.

Remaining tasks

Write tests
Review

User interface changes

N/a

API changes

N/a

Data model changes

N/a

Release notes snippet

πŸ› Bug report
Status

Closed: duplicate

Version

10.0 ✨

Component
Node systemΒ  β†’

Last updated 5 days ago

No maintainer
Created by

πŸ‡ͺπŸ‡¨Ecuador jwilson3

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024