Contrib.social

Document that EntityAccessControlHandler::checkFieldAccess returns AccessResultAllowed by default

Open on Drupal.org โ†’
Created on 13 December 2023, 11 months ago
Updated 18 December 2023, 11 months ago

Problem/Motivation

EntityAccessControlHandler::checkFieldAccess always returns allowed

This means that all fields are editable if the user has 'update' access to the entity.

We should document this as it could catch people out.

This was originally posted on security.drupal.org but cleared for a public issue by the security team

Steps to reproduce

Proposed resolution

Add additional documentation to \Drupal\Core\Field\FieldItemList::access and EntityAccessControlHandler::checkFieldAccess

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

๐Ÿ“Œ Task
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component
Entityย  โ†’

Last updated about 4 hours ago

  • Maintained by
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom @catch
  • ๐Ÿ‡จ๐Ÿ‡ญSwitzerland @berdir
  • ๐Ÿ‡ฉ๐Ÿ‡ชGermany @hchonov
Created by

๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

  • Documentation

    Primarily changes documentation, not code. For Drupal core issues, select the Documentation component instead of using this tag. In general, component selection is preferred over tag selection.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @larowlan
  • Comment 11 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia Akhil Babu Chengannur

    Akhil Babu โ†’ made their first commit to this issueโ€™s fork.

  • Comment 11 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia Akhil Babu Chengannur

    Function definition of was updated in https://www.drupal.org/project/drupal/issues/3395404 ๐Ÿ› Information disclosure access bypass for revision log fields when the JSON:API module is enabled Fixed

  • Comment 11 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia Akhil Babu Chengannur

    This means that all fields are editable if the user has 'update' access to the entity.

    Is this valid now? Update access is checked only for the revision log field in the new definition.

      protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
    if (!$items instanceof FieldItemListInterface || $operation !== 'view') {
      return AccessResult::allowed();
    }
    $entity = $items->getEntity();
    $isRevisionLogField = $this->entityType instanceof ContentEntityTypeInterface && $field_definition->getName() === $this->entityType->getRevisionMetadataKey('revision_log_message');
    if ($entity && $isRevisionLogField) {
      // The revision log should only be visible to those who can view the
      // revisions OR edit the entity.
      return $entity->access('view revision', $account, TRUE)
        ->orIf($entity->access('update', $account, TRUE));
    }
    return AccessResult::allowed();
  }
  • Comment 11 months ago โ†’
    ๐Ÿ‡ธ๐Ÿ‡ฐSlovakia poker10
  • Comment 11 months ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    I think its fine to say 'With a few exceptions, most fields return access result allowed by default'

    There are other exceptions in e.g. comments

  • Comment 11 months ago โ†’
    ๐Ÿ‡จ๐Ÿ‡ฆCanada Charlie ChX Negyesi ๐ŸCanada

    Is this valid now?

    yes it is. Let me emphasize a part of the code you pasted above:

        if ($operation !== 'view') {
      return AccessResult::allowed();
    }

    What needs to be documented here is you can not rely on fieldAccess alone to check whether a field is accessible by a user, it must be andIf'd with entity access.

  • Merge request !5857Update Documentation of EntityAccessControlHandler.php โ†’ (Open) created by Akhil Babu
  • Status changed to Needs review 11 months ago
  • Comment 11 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia Akhil Babu Chengannur

    Thanks @larowlan and @Ghost of Drupal Past

    I have updated function documentation as per the inputs.

  • Status changed to Needs work 11 months ago
  • Comment 11 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Can it be documented in the issue summary why

    \Drupal\Core\Field\FieldItemList::access

    does not need to be updated.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024