- Issue created by @jasonawant
While it's becoming clearer with more research, I'm still not 100% certain what's required to harden custom content type entity access when it comes to entity query logic.
While explicit access checking on entity queries is required, see change record Access checking must be explicitly specified on content entity queries β , I had the impression entity access checking was being performed on entity queries. I think it's not though. See π Node's "base_table" metatag is a nightmare for generic entity query access Active .
I think it would be helpful to clear the air and give developers a specific path forward until there is a robust core solution, e.g. β¨ Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() Needs work .
Related issues/links
* Entity query on custom entity is not checking access rights
*
Need to implement hook_query_TAG_alter per parent entity type to work with views correctly?
π
Need to implement hook_query_TAG_alter per parent entity type to work with views correctly?
Postponed
*
β¨
Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter()
Needs work
* Entity API module change record:
Added an entity query access API β
*
π
Node's "base_table" metatag is a nightmare for generic entity query access
Active
*
π¬
Listing custom entities with proper view access
Closed: won't fix
N/A - it's a support request
Update the following documentation
* Update entity.api.php "Access checking on entities" section to include information for entity query access checking
* Update change record:
Access checking must be explicitly specified on content entity queries β
* Update "
Creating a custom content entity β
" docs page as necessary or conslidate with the next docs page
* Update "
Creating a content entity type in Drupal 8 β
" docs page with information about entity query access check or update
access control handler section β
* Update "
Converting a content entity type to be revisionable and publishable β
" docs page as necessary for access checking considerations when converting
N/A
* Discuss options
* Choose an option to communicate to developers
* Discuss how to communicate, e.g. entity.api.php, doc pages, change records
* Update any related issues to help socialize
N/A
Too be determined
N/A
Too be determined
Active
11.0 π₯
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.