Access checking must be explicitly specified on content entity queries

Created on 5 June 2023, over 1 year ago

Problem/Motivation

The \Drupal\Core\Entity\Query\QueryInterface::accessCheck() allows developers to specify whether only content entities that the current user has view access for should be returned when the query is executed. Although all entity queries support this method, core only actually implements access checking on the results for content entities that use sql-storage.

If ::accessCheck() is not called, then the query defaults to checking access, i.e. behaves as if ::accessCheck(TRUE) had been called. This behavior has been the source of many bugs, as it is easy for developers to forget that this happens.

In Drupal 9.2, not calling ::accessCheck() has been deprecated, and all entity queries on content entities should always include an explicit call to ::accessCheck() prior to the query being executed. For Drupal 10 this will be enforced by throwing an exception if ::accessCheck() is not called.

See https://www.drupal.org/node/3201242 →

🐛 Bug report

Status

Needs review

Version

3.0

Component

Code

Created by

🇩🇪Germany sense-design Münster

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @sense-design
Comment over 1 year ago →
🇩🇪Germany sense-design Münster
Comment over 1 year ago →
🇩🇪Germany sense-design Münster
Patch to fix this is attached. Please test and review.
@sense-design opened merge request.
Open in Jenkins → Open on Drupal.org →
Core: 9.5.x + Environment: PHP 8.1 & MySQL 8
last update over 1 year ago
Build Successful
Open in Jenkins → Open on Drupal.org →
Core: 10.1.x + Environment: PHP 8.1 & MySQL 8
last update over 1 year ago
Build Successful
Status changed to Needs review over 1 year ago11:15am 5 June 2023
Comment over 1 year ago →
🇩🇪Germany sense-design Münster

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024