Allow adding query tags to entity_query Data Producer

I've created a MR that adds the query_tag property to "consumes" and adds it to the query.

Please review and let me know your feedback, many thanks!

Thanks, this is a bit dangerous as then the query tag could be supplied from user input if the developer sets it up wrong. We just fixed a similar minor security weakness in 🐛 Wrong usage of EntityQuery data producer can lead to SQL access bypass Active with the entity_query producer.

Could we lock this down somehow so that developers cannot expose this by accident?

I think this problem can be fixed by applying a solution similar than restricting filters into the entity query producer: https://git.drupalcode.org/project/graphql/-/blob/8.x-4.x/src/Plugin/Gra... .

The solution would be:

- Adding an allowed_query_tags property into the entity query producer.
- When the query is being done, throw an exception when a query tag not defined into allowed_query_tags is detected.

Working on it ASAP.

I've just added a commit that ensures there is a field that sets which are the allowed query tags, so if a query tag is passed dinamically, it does not add unwanted query tags.

Please review, if it looks good I can add tests.

Thanks, approach looks good!

I'm thinking about if the API addition could break existing installations - I think it will break all old sites that have dataproducer_populate_default_values set to FALSE. We could allow the parameters to be nullable with the "?" operator, which is ugly but should work?

I think you can go ahead and add tests now!