Contrib.social

Entity Mesh processes restricted custom entities via batch UI without validating anonymous user access

Open on Drupal.org →
Created on 10 July 2025, 4 days ago

Problem/Motivation

It has been identified that in contexts involving custom entities with restricted access permissions, the Entity Mesh system is processing these entities under two specific scenarios:

  • When a batch process is executed from the Drupal administration UI (not via Drush).
  • When the entity is created or updated by a user who has permissions to access the entity.

In both cases, Entity Mesh processes the entity without evaluating whether it should be visible to anonymous users or other specific roles. This can lead to incorrect results.

Thus, it is not sufficient to check access based only on the current user; role-based access validation is required, especially for anonymous users.

A dedicated access-checking service will be implemented to support this requirement and allow future extension to other roles or user profiles.

Steps to reproduce

  • Define a entity type with restricted view permissions (e.g., only accessible to authenticated users).
  • As an authenticated user with create/update permissions: Create or update an instance of the custom entity or
  • Trigger a batch process via the Drupal admin UI that integrates with Entity Mesh.
  • Observe that the entity is processed by the Entity Mesh system.
  • Access to the Entity Mesh report and confirm that the entity is included in it.

Proposed resolution

Develop a service that performs entity access checks for a specific role, starting with anonymous users.

Integrate this service into the Entity Mesh processing flow to ensure that:

  • Entities are not processed unless they are accessible to the designated role(s).
  • Design the service to be extensible, allowing the system to support access checks for other roles or user personas in the future.
  • Ensure batch processes initiated from the UI follow the same access logic as Drush commands.

Remaining tasks

  • Implement the role-based entity access validation service.
  • Update Entity Mesh logic to incorporate the role-based check before processing entities.
  • Apply consistent behavior across different batch triggers (UI and Drush).
  • Write test coverage

User interface changes

None expected immediately. Future improvements may introduce administrative configuration for selecting roles to check access against.

API changes

Introduction of a new service for role-based entity access validation.
No breaking changes to existing APIs.

Data model changes

None.

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇪🇸Spain lpeidro Madrid

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @lpeidro
  • Comment 4 days ago
    🇪🇸Spain lpeidro Madrid
  • Merge request !39Issue #3535302: Implemented phpunit → (Open) created by lpeidro
  • Comment about 18 hours ago
    🇪🇸Spain lpeidro Madrid

    I have implemented the AccountInterface in a class named DummyAccount. This class allows us to instantiate account objects with a specific role, which we can use to test role-based access to entities. Currently, it only tests access for anonymous users, but in the future, we plan to expand its functionality to support different roles.

    The access check to the entity is performed just before creating the source object for a given entity. Doing it at this point ensures that, in all contexts, only the entities accessible to the anonymous user will be processed.

    I have implemented a unit test for this scenario.

    It is ready to be checked by the comunnity.

  • Comment about 18 hours ago
    🇪🇸Spain lpeidro Madrid
  • Comment about 18 hours ago
    🇪🇸Spain eduardo morales alberti Spain, 🇪🇺

    Could you review the coding standard errors?

    PHP CODE SNIFFER REPORT SUMMARY
----------------------------------------------------------------------
FILE                                                  ERRORS  WARNINGS
----------------------------------------------------------------------
entity_mesh.libraries.yml                             1       0
entity_mesh.permissions.yml                           1       0
entity_mesh.routing.yml                               1       0
src/DummyAccount.php                                  22      0
src/Repository.php                                    1       0
tests/src/Kernel/EntityMeshPermissionsTest.php        12      7
----------------------------------------------------------------------
A TOTAL OF 38 ERRORS AND 7 WARNINGS WERE FOUND IN 60 FILES
----------------------------------------------------------------------
PHPCBF CAN FIX 43 OF THESE SNIFF VIOLATIONS AUTOMATICALLY
----------------------------------------------------------------------
PHP CODE SNIFFER VIOLATION SOURCE SUMMARY
----------------------------------------------------------------------
    SOURCE                                                       COUNT
----------------------------------------------------------------------
[x] Drupal.Commenting.PostStatementComment.Found                 15
[x] Drupal.Commenting.InlineComment.InvalidEndChar               14
[x] Drupal.Classes.UnusedUseStatement.UnusedUse                  4
[x] Drupal.WhiteSpace.Comma.TooManySpaces                        4
[x] Drupal.Arrays.Array.CommaLastItem                            2
[x] Drupal.Files.EndFileNewline.TooMany                          2
[x] Drupal.Commenting.DocComment.TagGroupSpacing                 1
[ ] Drupal.Commenting.FunctionComment.MissingReturnComment       1
[x] Drupal.Files.EndFileNewline.NoneFound                        1
[ ] Drupal.Files.LineLength.TooLong                              1
----------------------------------------------------------------------
A TOTAL OF 45 SNIFF VIOLATIONS WERE FOUND IN 10 SOURCES
----------------------------------------------------------------------
PHPCBF CAN FIX THE 8 MARKED SOURCES AUTOMATICALLY (43 VIOLATIONS IN TOTAL)
----------------------------------------------------------------------
  • Comment about 17 hours ago
    🇪🇸Spain Juanjol Navarra

    Thanks for the MR! The implementation looks good.

    Two minor suggestions :

    1. Consider renaming DummyAccount to AnonymousDummyAccount for clarity
    2. Maybe use dependency injection instead of the static variable in Repository::checkAccessEntity() to follow Drupal best practices
  • Comment about 17 hours ago
    🇪🇸Spain Juanjol Navarra

    Please take a look too to the phpcs in the pipeline https://git.drupalcode.org/project/entity_mesh/-/jobs/5876370

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024