Does entity query access checking perform any access checking for custom content type entity?

Created on 1 February 2024, 11 months ago
Updated 21 February 2024, 11 months ago

Problem/Motivation

While it's becoming clearer with more research, I'm still not 100% certain what's required to harden custom content type entity access when it comes to entity query logic.

While explicit access checking on entity queries is required, see change record Access checking must be explicitly specified on content entity queries β†’ , I had the impression entity access checking was being performed on entity queries. I think it's not though. See πŸ› Node's "base_table" metatag is a nightmare for generic entity query access Active .

I think it would be helpful to clear the air and give developers a specific path forward until there is a robust core solution, e.g. ✨ Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() Needs work .

Related issues/links
* Entity query on custom entity is not checking access rights
* Need to implement hook_query_TAG_alter per parent entity type to work with views correctly? πŸ“Œ Need to implement hook_query_TAG_alter per parent entity type to work with views correctly? Postponed
* ✨ Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter() Needs work
* Entity API module change record: Added an entity query access API β†’
* πŸ› Node's "base_table" metatag is a nightmare for generic entity query access Active
* πŸ’¬ Listing custom entities with proper view access Closed: won't fix

Steps to reproduce

N/A - it's a support request

Proposed resolution

Update the following documentation
* Update entity.api.php "Access checking on entities" section to include information for entity query access checking
* Update change record: Access checking must be explicitly specified on content entity queries β†’
* Update " Creating a custom content entity β†’ " docs page as necessary or conslidate with the next docs page
* Update " Creating a content entity type in Drupal 8 β†’ " docs page with information about entity query access check or update access control handler section β†’
* Update " Converting a content entity type to be revisionable and publishable β†’ " docs page as necessary for access checking considerations when converting

Merge request link

N/A

Remaining tasks

* Discuss options
* Choose an option to communicate to developers
* Discuss how to communicate, e.g. entity.api.php, doc pages, change records
* Update any related issues to help socialize

User interface changes

N/A

API changes

Too be determined

Data model changes

N/A

Release notes snippet

Too be determined

πŸ’¬ Support request
Status

Active

Version

11.0 πŸ”₯

Component
Entity  β†’

Last updated about 13 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States jasonawant New Orleans, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024