Notify the developer if #access is anything other than an allowed boolean or access result object.

Created on 23 May 2025, 14 days ago

Problem/Motivation

Currently if a form element contains an invalid #access value, it will be silently evaluated to a boolean.
This could make some security bugs hard to detect.

Steps to reproduce

Add something like this to a form element:

'#access' => new \stdClass(),

The form element is displayed and processed.

Proposed resolution

We could log a warning if the value is not a boolean or an AccessResultInterface object.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

✨ Feature request

Status

Active

Version

11.0 🔥

Component

forms system

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Comments & Activities

Issue created by @prudloff
Comment 14 days ago →
🇫🇷France prudloff Lille
Comment 14 days ago →
cilefen
I think an exception throw is the best way to notify the developer..

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024