Contrib.social

"bool $return_as_object" needs to go the way of the dodo

Open on Drupal.org →
Created on 3 March 2025, about 1 month ago

Problem/Motivation

The following methods all have @return bool|\Drupal\Core\Access\AccessResultInterface depending on how @param bool $return_as_object was set.

  • AccessibleInterface::access()
  • AccessManagerInterface::checkNamedRoute()
  • AccessManagerInterface::checkRequest()
  • AccessManagerInterface::check()
  • ActionInterface::access()
  • BlockPluginInterface::access()
  • EntityAccessControlHandlerInterface::access()
  • EntityAccessControlHandlerInterface::createAccess()
  • EntityAccessControlHandlerInterface::fieldAccess()
  • Url::access()

I've recently seen more and more core bugs where, by happy accident, code that was forgetting to properly add its cacheable dependencies still worked. Because we're now going to be placeholdering more blocks ( 📌 Create placeholders for more things Active ), more of these bugs will arise.

Now one of the things these bugs usually had in common was that they were running access checks with $return_as_object as FALSE, meaning all cacheable metadata required to get to that access result was just tossed out.

How is this a thing? We should get rid of $return_as_object altogether and if people really care about only the outcome, they can still call $result->isAllowed() instead.

This is the exact same type of situation as entity queries' access flag where we want people to actively consider the security implications of what they're doing.

Steps to reproduce

See the blocks issue mentioned above or 🐛 Any page with a node on it is completely uncacheable if you do not have the "access user profiles" permission Active or many other core issues I've worked on recently.

Proposed resolution

Deprecate $return_as_object everywhere and force people to use isAllowed() instead.

Remaining tasks

Perhaps someone smarter than me can come up with a rector rule that swaps out calls to any of the above methods to set $return_as_object to TRUE and replace a boolean check with isAllowed()?

User interface changes

N/A

Introduced terminology

N/A

API changes

Deprecate returning access results as boolean

Data model changes

N/A

Release notes snippet

TBD

📌 Task
Status

Active

Version

11.0 🔥

Component

base system

Created by

🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kristiaanvandeneynde
  • Comment about 1 month ago
    godotislate

    Relatedly, the value of the render array #access property and the return value of the render array #access_callback property can be booleans or AccessInterface objects. It's probably worth considering whether those should be enforced to be access objects as well.

  • Comment about 1 month ago
    🇬🇧United Kingdom catch

    Relatedly, the value of the render array #access property

    This is pretty handy in form alters to just not show a particular form element on a form, so not sure we should prevent people setting it to FALSE.

  • Comment about 1 month ago
    🇨🇭Switzerland berdir Switzerland

    > This is pretty handy in form alters to just not show a particular form element on a form, so not sure we should prevent people setting it to FALSE.

    Well, AccessResult::forbidden() is not that much more work. But yes, #access is often just used as a plain not visible flag and not really something access related. But it very much is an issue, yes.

    > How is this a thing? We should get rid of $return_as_object altogether and if people really care about only the outcome, they can still call $result->isAllowed() instead.

    For context, the reason it is like this is BC. This was introduced late in D8 development phase and it wasn't feasible to break all existing code using those API's.

    > This is the exact same type of situation as entity queries' access flag where we want people to actively consider the security implications of what they're doing.

    FWIW, I don't really see it as the same thing. entity query forces you to make a decision, $entity->access()->isAllowed() doesn't force you to make a decision or do anything with that it just requires to type out an extra method call. Also, some API's that have such a condition parameters around cacheability do sometimes explicitly expose that cacheability into the global/current state, for example \Drupal\Core\Utility\Token::doReplace(). So making this required might actually have a negative effect on cacheability bugs. Pretty sure access doesn't do that though. One reason for that is the account parameter, because due to that, you never know if it's really/always for the current user or not. There are issues open about that problem.

  • Comment 30 days ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

    For context, the reason it is like this is BC. This was introduced late in D8 development phase and it wasn't feasible to break all existing code using those API's.

    Yeah I'm aware of the history. I could have phrased the IS as "How is this still a thing", I suppose.

    FWIW, I don't really see it as the same thing. entity query forces you to make a decision, $entity->access()->isAllowed() doesn't force you to make a decision or do anything with that it just requires to type out an extra method call.

    I disagree here. As long as we allow people to throw out cacheable metadata by using the boolean return value, we are letting them live in perfect ignorance of what their access check really meant.

    If we start forcing everyone to use AccessResultInterface instead, it will make people aware of what they're dealing with and hopefully that will lower the barrier for people to properly add their access checks' cacheability to whatever they're building.

    You could still get away with just calling ->isAllowed(), sure, but at that point you'd at least should be aware that you're dealing with a value object which can do more than just tell you whether access is granted. So at that point it would then be more fair to say the developer was aware and failed to add the right cacheable metadata. Right now the default $return_as_object is FALSE, so people don't even see that parameter and might not know they could be asking for a proper value object instead.

  • Comment 30 days ago
    🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium

    One reason for that is the account parameter, because due to that, you never know if it's really/always for the current user or not. There are issues open about that problem.

    Yeah, I know. This is one of them: 🐛 Access result caching per user(.permissions) does not check for correct user Needs work

    That shouldn't stop us from fixing all the places where currently cacheable metadata is thrown in the garbage, though. As we are moving pieces to placeholders, these issues are popping up left and right and we should try to put an end to them in bulk. Deprecating a boolean return value from access checks would go a long way already.

    Perhaps it would put more pressure on us to finally fix the issue regarding non-current-user access checking. We have one in AccessPolicyProcessor using the account switcher, but that's only possible because said processor's internal cacheable metadata will never bubble up and we know exactly which user we're dealing with. This was by design as I was honestly annoyed with how tightly coupled our access checks are to the user cache contexts (and therefore current user).

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024