Contrib.social

tft_file_access missing accessCheck

Open on Drupal.org →
Created on 28 August 2023, over 1 year ago

[Error] [php] Drupal\Core\Entity\Query\QueryException: Entity queries must explicitly set whether the query should be access checked or not. See Drupal\Core\Entity\Query\QueryInterface::accessCheck(). in Drupal\Core\Entity\Query\Sql\Query->prepare() (line 162 of /htdocs/core/lib/Drupal/Core/Entity/Query/Sql/Query.php).

if we use https://github.com/podarok/drupal/commit/5656ba39204d105ca7c26535ed963d0...
+ debug_print_backtrace();

we can see more detail in the error:

modules/contrib/tft/tft.module

/**
 * Implements hook_ENTITY_TYPE_access().
 */
function tft_file_access(EntityInterface $entity, $operation, AccountInterface $account) {
  // Check that user has an access to the group.
  $fid = $entity->get('fid')->getValue();
  $query = \Drupal::entityQuery('media')
    ->condition('tft_file', $fid[0]['value']);
  $entity_id = array_values($query->execute());
  if (isset($entity_id[0])) {
    $media = Media::load($entity_id[0]);
  }

missing accessCheck(FALSE) or TRUE

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States jakegibs617

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @jakegibs617
  • Comment over 1 year ago
    🇺🇸United States jakegibs617 
    diff --git a/modules/contrib/tft/tft.module b/modules/contrib/tft/tft.module
index bfb083b8f..d6d771c49 100644
--- a/modules/contrib/tft/tft.module
+++ b/modules/contrib/tft/tft.module
@@ -664,7 +664,7 @@ function tft_file_access(EntityInterface $entity, $operation, AccountInterface $
   $fid = $entity->get('fid')->getValue();
   $query = \Drupal::entityQuery('media')
     ->condition('tft_file', $fid[0]['value']);
-  $entity_id = array_values($query->execute());
+  $entity_id = array_values($query->accessCheck(FALSE)->execute());
   if (isset($entity_id[0])) {
     $media = Media::load($entity_id[0]);
   }

    this works... But not sure if maintainers want this to be set to TRUE or FALSE

  • First commit to issue fork.
  • Merge request !1#3383811 tft_file_access missing accessCheck → (Open) created by dakruchko
  • Comment over 1 year ago
    🇧🇾Belarus dakruchko

    I've created a merge request: https://git.drupalcode.org/project/tft/-/merge_requests/1/diffs
    Added ->accessCheck(TRUE) as this is default (current) behavior, we just need to declare it explicitly. (FYI https://www.drupal.org/node/3201242 )

  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇧🇾Belarus dakruchko
  • Status changed to RTBC about 1 year ago
  • Comment about 1 year ago
    🇬🇧United Kingdom catch

    Looks right to me. This is an uncaught exception when trying to use TFT on Drupal 10 so bumping to critical.

  • Comment about 1 year ago
    🇦🇷Argentina andreadruiz Buenos Aires

    Hi!
    I'm adding more accessCheck missing from the tft.module file. I added empty, but not sure if it should be TRUE.
    Please, let me know.
    Thanks!

  • Status changed to Needs review about 1 year ago
  • Comment about 1 year ago
    🇦🇷Argentina andreadruiz Buenos Aires
  • First commit to issue fork.
  • Comment about 1 year ago
    🇮🇳India dineshkumarbollu

    Found one more entityQuery in DeleteFolderForm.php file and created MR.

  • Status changed to RTBC 12 months ago
  • Comment 12 months ago
    🇬🇧United Kingdom catch

    The module shouldn't have been declared Drupal 10 compatible without fixing these, it results in fatal errors everywhere. This is ready to go. If any more have been missed, can be a new issue.

  • Comment 16 days ago
    🇺🇸United States socketwench

    This doesn't appear to be the correct fix. At least, not in our case.

    On a fresh opigno site, non-admins cannot access any of the files in the document library. Admins can, but everyone else hits the accessCheck(TRUE) in _tft_get_group_gid() and are locked out. This despite the fact that the student is a member of the group (learning path). When the call is accessCheck(FALSE), the document library works as normal.

    It's possible that our install is missing a permission or a group type configuration, but there doesn't seem to be any other way to resolve the bug.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024