Contrib.social

entityQuery on settings form is missing an access check

Open on Drupal.org →
Created on 6 June 2024, 9 months ago
Updated 14 August 2024, 6 months ago

Problem/Motivation

The entity query on the settings form is missing an access check:

 ------ ----------------------------------------------------------------------- 
  Line   src/Form/RRSSBSettingsForm.php                                         
 ------ ----------------------------------------------------------------------- 
  244    Relying on entity queries to check access by default is deprecated in  
         drupal:9.2.0 and an error will be thrown from drupal:10.0.0. Call      
         \Drupal\Core\Entity\Query\QueryInterface::accessCheck() with TRUE or   
         FALSE to specify whether access should be checked.                     
         💡 See https://www.drupal.org/node/3201242                             
 ------ -------------------------------------------------------
🐛 Bug report
Status

Closed: works as designed

Version

2.0

Component

Code

Created by

🇯🇵Japan ptmkenny

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @ptmkenny
  • Merge request !15add missing access check → (Open) created by ptmkenny
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.3 & MySQL 5.7
    last update 9 months ago
    1 pass
  • Status changed to Needs review 9 months ago
  • Comment 9 months ago
    🇯🇵Japan ptmkenny
  • Pipeline finished with Success
    9 months ago
    Total: 140s
    #192980
  • Comment 9 months ago
    🇬🇧United Kingdom adamps

    Thanks.

    It's strange - the report says "and an error will be thrown from drupal:10.0.0." however I just tested on D10 and there was no error. Also everywhere I checked in Core doesn't have the call to accessCheck.

    After much head-scratching I believe that the error report is wrong. The link change report states (not obviously, but it's there): "This change doesn't apply to config entities." Which makes sense because they have no access checking. Perhaps you are running an old version of phpstan, or it's a phpstan bug?

  • Comment 9 months ago
    🇯🇵Japan ptmkenny

    Hmm, that is interesting. Yes, in theory these errors should be easy to find because they should result in a WSOD.

    It's not a phpstan version problem, as this error can be seen in the GitLab CI report on the project page: https://git.drupalcode.org/project/rrssb/-/jobs/1805469

    When I get some time I'll try to dig into how the drupal phpstan extension is doing this analysis; it very well could be a false positive.

  • Status changed to Closed: works as designed 6 months ago
  • Comment 6 months ago
    🇬🇧United Kingdom adamps
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024