Contrib.social

entityQuery on settings form is missing an access check

Open on Drupal.org β†’
Created on 6 June 2024, 21 days ago
Updated 7 June 2024, 21 days ago

Problem/Motivation

The entity query on the settings form is missing an access check:

 ------ ----------------------------------------------------------------------- 
  Line   src/Form/RRSSBSettingsForm.php                                         
 ------ ----------------------------------------------------------------------- 
  244    Relying on entity queries to check access by default is deprecated in  
         drupal:9.2.0 and an error will be thrown from drupal:10.0.0. Call      
         \Drupal\Core\Entity\Query\QueryInterface::accessCheck() with TRUE or   
         FALSE to specify whether access should be checked.                     
         πŸ’‘ See https://www.drupal.org/node/3201242                             
 ------ -------------------------------------------------------
πŸ› Bug report
Status

Needs review

Version

2.0

Component

Code

Created by

πŸ‡―πŸ‡΅Japan ptmkenny

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @ptmkenny
  • Merge request !15add missing access check β†’ (Open) created by ptmkenny
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.5 + Environment: PHP 7.3 & MySQL 5.7
    last update 21 days ago
    1 pass
  • Status changed to Needs review 21 days ago
  • Comment 21 days ago β†’
    πŸ‡―πŸ‡΅Japan ptmkenny
  • Pipeline finished with Success
    21 days ago
    Total: 140s
    #192980
  • Comment 21 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom AdamPS

    Thanks.

    It's strange - the report says "and an error will be thrown from drupal:10.0.0." however I just tested on D10 and there was no error. Also everywhere I checked in Core doesn't have the call to accessCheck.

    After much head-scratching I believe that the error report is wrong. The link change report states (not obviously, but it's there): "This change doesn't apply to config entities." Which makes sense because they have no access checking. Perhaps you are running an old version of phpstan, or it's a phpstan bug?

  • Comment 21 days ago β†’
    πŸ‡―πŸ‡΅Japan ptmkenny

    Hmm, that is interesting. Yes, in theory these errors should be easy to find because they should result in a WSOD.

    It's not a phpstan version problem, as this error can be seen in the GitLab CI report on the project page: https://git.drupalcode.org/project/rrssb/-/jobs/1805469

    When I get some time I'll try to dig into how the drupal phpstan extension is doing this analysis; it very well could be a false positive.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024