diff --git a/core/lib/Drupal/Core/Entity/Entity/EntityFormDisplay.php b/core/lib/Drupal/Core/Entity/Entity/EntityFormDisplay.php index 3dcffd2cfa..fe449a564a 100644 --- a/core/lib/Drupal/Core/Entity/Entity/EntityFormDisplay.php +++ b/core/lib/Drupal/Core/Entity/Entity/EntityFormDisplay.php @@ -94,6 +94,7 @@ public static function collectRenderDisplay(FieldableEntityInterface $entity, $f $candidate_ids[] = $entity_type . '.' . $bundle . '.default'; } $results = \Drupal::entityQuery('entity_form_display') + ->accessCheck(TRUE) ->condition('id', $candidate_ids) ->condition('status', TRUE) ->execute(); diff --git a/core/lib/Drupal/Core/Entity/Entity/EntityViewDisplay.php b/core/lib/Drupal/Core/Entity/Entity/EntityViewDisplay.php index 00800b5839..7ea619864d 100644 --- a/core/lib/Drupal/Core/Entity/Entity/EntityViewDisplay.php +++ b/core/lib/Drupal/Core/Entity/Entity/EntityViewDisplay.php @@ -98,6 +98,7 @@ public static function collectRenderDisplays($entities, $view_mode) { $results = \Drupal::entityQuery('entity_view_display') ->condition('id', NestedArray::mergeDeepArray($candidate_ids)) ->condition('status', TRUE) + ->accessCheck(TRUE) ->execute(); // For each bundle, select the first valid candidate display, if any. diff --git a/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php b/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php index b1e1f8646e..95f34bf79e 100644 --- a/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php +++ b/core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php @@ -342,7 +342,7 @@ public function getReferenceableEntities($match = NULL, $match_operator = 'CONTA $query->range(0, $limit); } - $result = $query->execute(); + $result = $query->accessCheck(TRUE)->execute(); if (empty($result)) { return []; @@ -365,6 +365,7 @@ public function countReferenceableEntities($match = NULL, $match_operator = 'CON $query = $this->buildEntityQuery($match, $match_operator); return $query ->count() + ->accessCheck(TRUE) ->execute(); } diff --git a/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php b/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php index c0eff55507..cc3e4efed0 100644 --- a/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php +++ b/core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php @@ -134,9 +134,9 @@ public function checkNodeAccess(array $tree) { $this->collectNodeLinks($tree, $node_links); if ($node_links) { $nids = array_keys($node_links); + $access_check = TRUE; $query = $this->entityTypeManager->getStorage('node')->getQuery(); - $query->accessCheck(TRUE); $query->condition('nid', $nids, 'IN'); // Allows admins to view all nodes, by both disabling node_access @@ -145,13 +145,15 @@ public function checkNodeAccess(array $tree) { // entries per user. $access_result = AccessResult::allowed()->cachePerPermissions(); if ($this->account->hasPermission('bypass node access')) { - $query->accessCheck(FALSE); + $access_check = FALSE; } else { $access_result->addCacheContexts(['user.node_grants:view']); $query->condition('status', NodeInterface::PUBLISHED); + $access_check = TRUE; } + $query->accessCheck($access_check); $nids = $query->execute(); foreach ($nids as $nid) { foreach ($node_links[$nid] as $key => $link) { diff --git a/core/lib/Drupal/Core/Validation/Plugin/Validation/Constraint/UniqueFieldValueValidator.php b/core/lib/Drupal/Core/Validation/Plugin/Validation/Constraint/UniqueFieldValueValidator.php index 1aad291d9a..6811ce3637 100644 --- a/core/lib/Drupal/Core/Validation/Plugin/Validation/Constraint/UniqueFieldValueValidator.php +++ b/core/lib/Drupal/Core/Validation/Plugin/Validation/Constraint/UniqueFieldValueValidator.php @@ -25,9 +25,6 @@ public function validate($items, Constraint $constraint) { $query = \Drupal::entityQuery($entity_type_id); - // @todo Don't check access. http://www.drupal.org/node/3171047 - $query->accessCheck(TRUE); - $entity_id = $entity->id(); // Using isset() instead of !empty() as 0 and '0' are valid ID values for // entity types using string IDs. @@ -39,6 +36,8 @@ public function validate($items, Constraint $constraint) { ->condition($field_name, $item->value) ->range(0, 1) ->count() + // @todo Don't check access. http://www.drupal.org/node/3171047 + ->accessCheck(TRUE) ->execute(); if ($value_taken) { diff --git a/core/modules/block/tests/src/Kernel/NewDefaultThemeBlocksTest.php b/core/modules/block/tests/src/Kernel/NewDefaultThemeBlocksTest.php index 129ac55682..a423a56ac7 100644 --- a/core/modules/block/tests/src/Kernel/NewDefaultThemeBlocksTest.php +++ b/core/modules/block/tests/src/Kernel/NewDefaultThemeBlocksTest.php @@ -59,9 +59,11 @@ public function testNewDefaultThemeBlocks() { // Ensure that the new default theme has the same blocks as the previous // default theme. $default_block_names = $block_storage->getQuery() + ->accessCheck(TRUE) ->condition('theme', $default_theme) ->execute(); $new_blocks = $block_storage->getQuery() + ->accessCheck(TRUE) ->condition('theme', $new_theme) ->execute(); $this->assertSameSize($default_block_names, $new_blocks); @@ -78,6 +80,7 @@ public function testNewDefaultThemeBlocks() { $base_theme = 'test_basetheme'; $theme_installer->install([$base_theme]); $new_blocks = $block_storage->getQuery() + ->accessCheck(TRUE) ->condition('theme', $base_theme) ->execute(); // Installing a hidden base theme does not copy the blocks from the default diff --git a/core/modules/ckeditor5/src/Plugin/CKEditor5Plugin/MediaLibrary.php b/core/modules/ckeditor5/src/Plugin/CKEditor5Plugin/MediaLibrary.php index 47cf823199..d50bc9d6c8 100644 --- a/core/modules/ckeditor5/src/Plugin/CKEditor5Plugin/MediaLibrary.php +++ b/core/modules/ckeditor5/src/Plugin/CKEditor5Plugin/MediaLibrary.php @@ -63,7 +63,7 @@ public static function create(ContainerInterface $container, array $configuratio * {@inheritdoc} */ public function getDynamicPluginConfig(array $static_plugin_config, EditorInterface $editor): array { - $media_type_ids = $this->mediaTypeStorage->getQuery()->execute(); + $media_type_ids = $this->mediaTypeStorage->getQuery()->accessCheck(TRUE)->execute(); if ($editor->hasAssociatedFilterFormat()) { $media_embed_filter = $editor->getFilterFormat()->filters()->get('media_embed'); diff --git a/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php b/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php index e9eef5b28d..aadbac7ec6 100644 --- a/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php +++ b/core/modules/config_translation/src/Controller/ConfigTranslationFieldListBuilder.php @@ -98,6 +98,7 @@ public function load() { // It is not possible to use the standard load method, because this needs // all field entities only for the given baseEntityType. $ids = \Drupal::entityQuery('field_config') + ->accessCheck(TRUE) ->condition('id', $this->baseEntityType . '.', 'STARTS_WITH') ->execute(); return $this->storage->loadMultiple($ids); diff --git a/core/modules/field/field.module b/core/modules/field/field.module index ad9b8f538b..aa35660b57 100644 --- a/core/modules/field/field.module +++ b/core/modules/field/field.module @@ -177,6 +177,7 @@ function field_entity_field_storage_info(EntityTypeInterface $entity_type) { // Query by filtering on the ID as this is more efficient than filtering // on the entity_type property directly. $ids = \Drupal::entityQuery('field_storage_config') + ->accessCheck(TRUE) ->condition('id', $entity_type->id() . '.', 'STARTS_WITH') ->execute(); // Fetch all fields and key them by field name. diff --git a/core/modules/field/src/ConfigImporterFieldPurger.php b/core/modules/field/src/ConfigImporterFieldPurger.php index 22bf7c2058..8ae811dfd6 100644 --- a/core/modules/field/src/ConfigImporterFieldPurger.php +++ b/core/modules/field/src/ConfigImporterFieldPurger.php @@ -124,6 +124,7 @@ public static function getFieldStoragesToPurge(array $extensions, array $deletes } if (!empty($field_storage_ids)) { $field_storages = \Drupal::entityQuery('field_storage_config') + ->accessCheck(TRUE) ->condition('id', $field_storage_ids, 'IN') ->condition('module', $providers, 'NOT IN') ->execute(); diff --git a/core/modules/field/tests/src/Kernel/FieldImportCreateTest.php b/core/modules/field/tests/src/Kernel/FieldImportCreateTest.php index c7138e0e6a..ad5fe82546 100644 --- a/core/modules/field/tests/src/Kernel/FieldImportCreateTest.php +++ b/core/modules/field/tests/src/Kernel/FieldImportCreateTest.php @@ -55,6 +55,7 @@ public function testImportCreateDefault() { // Tests fields. $ids = \Drupal::entityQuery('field_config') + ->accessCheck(TRUE) ->condition('entity_type', 'entity_test') ->condition('bundle', 'entity_test') ->execute(); @@ -62,6 +63,7 @@ public function testImportCreateDefault() { $this->assertTrue(isset($ids['entity_test.entity_test.field_test_import'])); $this->assertTrue(isset($ids['entity_test.entity_test.field_test_import_2'])); $ids = \Drupal::entityQuery('field_config') + ->accessCheck(TRUE) ->condition('entity_type', 'entity_test') ->condition('bundle', 'test_bundle') ->execute(); diff --git a/core/modules/field_ui/src/Form/FieldStorageAddForm.php b/core/modules/field_ui/src/Form/FieldStorageAddForm.php index 7c54ca94cc..56422dc7ed 100644 --- a/core/modules/field_ui/src/Form/FieldStorageAddForm.php +++ b/core/modules/field_ui/src/Form/FieldStorageAddForm.php @@ -538,6 +538,7 @@ protected function getExistingFieldLabels(array $field_names) { // Get all the fields corresponding to the given field storage names and // this entity type. $field_ids = $this->entityTypeManager->getStorage('field_config')->getQuery() + ->accessCheck(TRUE) ->condition('entity_type', $this->entityTypeId) ->condition('field_name', $field_names) ->execute(); diff --git a/core/modules/field_ui/src/Form/FieldStorageConfigEditForm.php b/core/modules/field_ui/src/Form/FieldStorageConfigEditForm.php index d6dec92201..b8d67b4dcd 100644 --- a/core/modules/field_ui/src/Form/FieldStorageConfigEditForm.php +++ b/core/modules/field_ui/src/Form/FieldStorageConfigEditForm.php @@ -198,9 +198,9 @@ public function validateCardinality(array &$element, FormStateInterface $form_st // one selected. Deltas start with 0, so the selected value does not // need to be incremented. $entities_with_higher_delta = \Drupal::entityQuery($this->entity->getTargetEntityTypeId()) - ->accessCheck(FALSE) ->condition($this->entity->getName() . '.%delta', $form_state->getValue('cardinality')) ->count() + ->accessCheck(FALSE) ->execute(); if ($entities_with_higher_delta) { $form_state->setError($element['cardinality_number'], $this->formatPlural($entities_with_higher_delta, 'There is @count entity with @delta or more values in this field.', 'There are @count entities with @delta or more values in this field.', ['@delta' => $form_state->getValue('cardinality') + 1])); diff --git a/core/modules/filter/src/FilterFormatFormBase.php b/core/modules/filter/src/FilterFormatFormBase.php index 5a89904c68..125290039b 100644 --- a/core/modules/filter/src/FilterFormatFormBase.php +++ b/core/modules/filter/src/FilterFormatFormBase.php @@ -164,6 +164,7 @@ public function exists($format_id) { return (bool) $this->entityTypeManager ->getStorage('filter_format') ->getQuery() + ->accessCheck(TRUE) ->condition('format', $format_id) ->execute(); } @@ -185,6 +186,7 @@ public function validateForm(array &$form, FormStateInterface $form_state) { $format_exists = $this->entityTypeManager ->getStorage('filter_format') ->getQuery() + ->accessCheck(TRUE) ->condition('format', $format_format, '<>') ->condition('name', $format_name) ->execute(); diff --git a/core/modules/layout_builder/src/Entity/LayoutBuilderEntityViewDisplay.php b/core/modules/layout_builder/src/Entity/LayoutBuilderEntityViewDisplay.php index c63b96ff01..9148a0d4a9 100644 --- a/core/modules/layout_builder/src/Entity/LayoutBuilderEntityViewDisplay.php +++ b/core/modules/layout_builder/src/Entity/LayoutBuilderEntityViewDisplay.php @@ -173,6 +173,7 @@ public function preSave(EntityStorageInterface $storage) { */ protected function removeSectionField($entity_type_id, $bundle, $field_name) { $query = $this->entityTypeManager()->getStorage($this->getEntityTypeId())->getQuery() + ->accessCheck(TRUE) ->condition('targetEntityType', $this->getTargetEntityTypeId()) ->condition('bundle', $this->getTargetBundle()) ->condition('mode', $this->getMode(), '<>') diff --git a/core/modules/layout_builder/src/Form/LayoutBuilderEntityViewDisplayForm.php b/core/modules/layout_builder/src/Form/LayoutBuilderEntityViewDisplayForm.php index 20876b17c8..f84b564368 100644 --- a/core/modules/layout_builder/src/Form/LayoutBuilderEntityViewDisplayForm.php +++ b/core/modules/layout_builder/src/Form/LayoutBuilderEntityViewDisplayForm.php @@ -144,6 +144,7 @@ protected function isCanonicalMode($mode) { // The default mode is valid if the canonical mode is not enabled. if ($mode === 'default') { $query = $this->entityTypeManager->getStorage($this->entity->getEntityTypeId())->getQuery() + ->accessCheck(TRUE) ->condition('targetEntityType', $this->entity->getTargetEntityTypeId()) ->condition('bundle', $this->entity->getTargetBundle()) ->condition('status', TRUE) diff --git a/core/modules/layout_builder/tests/src/Unit/LayoutBuilderIsActiveCacheContextTest.php b/core/modules/layout_builder/tests/src/Unit/LayoutBuilderIsActiveCacheContextTest.php index f62e042895..6cf12ddb00 100644 --- a/core/modules/layout_builder/tests/src/Unit/LayoutBuilderIsActiveCacheContextTest.php +++ b/core/modules/layout_builder/tests/src/Unit/LayoutBuilderIsActiveCacheContextTest.php @@ -69,6 +69,7 @@ public function testGetContext($is_overridden, $expected) { // of that method are mocked in the next code block. $entity_query = $this->prophesize(QueryInterface::class); $entity_query->condition(Argument::cetera())->willReturn($entity_query); + $entity_query->accessCheck(Argument::cetera())->willReturn($entity_query); $entity_query->execute()->willReturn([ 'a_fieldable_entity_type.the_bundle_id.full' => 'a_fieldable_entity_type.the_bundle_id.full', ]); diff --git a/core/modules/media_library/src/Plugin/Field/FieldWidget/MediaLibraryWidget.php b/core/modules/media_library/src/Plugin/Field/FieldWidget/MediaLibraryWidget.php index 1766346a7d..e39ceca300 100644 --- a/core/modules/media_library/src/Plugin/Field/FieldWidget/MediaLibraryWidget.php +++ b/core/modules/media_library/src/Plugin/Field/FieldWidget/MediaLibraryWidget.php @@ -148,7 +148,7 @@ protected function getAllowedMediaTypeIdsSorted() { // When no target bundles are configured for the field, all are allowed. if ($allowed_media_type_ids === NULL) { - $allowed_media_type_ids = $this->entityTypeManager->getStorage('media_type')->getQuery()->execute(); + $allowed_media_type_ids = $this->entityTypeManager->getStorage('media_type')->getQuery()->accessCheck(TRUE)->execute(); } // When the user did not sort the media types, return the media type IDs diff --git a/core/modules/menu_ui/src/MenuForm.php b/core/modules/menu_ui/src/MenuForm.php index 599eb93c74..7ae851bd44 100644 --- a/core/modules/menu_ui/src/MenuForm.php +++ b/core/modules/menu_ui/src/MenuForm.php @@ -164,7 +164,7 @@ public function form(array $form, FormStateInterface $form_state) { */ public function menuNameExists($value) { // Check first to see if a menu with this ID exists. - if ($this->entityTypeManager->getStorage('menu')->getQuery()->condition('id', $value)->range(0, 1)->count()->execute()) { + if ($this->entityTypeManager->getStorage('menu')->getQuery()->accessCheck(TRUE)->condition('id', $value)->range(0, 1)->count()->execute()) { return TRUE; } diff --git a/core/modules/migrate_drupal/src/Plugin/migrate/source/ContentEntity.php b/core/modules/migrate_drupal/src/Plugin/migrate/source/ContentEntity.php index 798b1eda6b..8019200ece 100644 --- a/core/modules/migrate_drupal/src/Plugin/migrate/source/ContentEntity.php +++ b/core/modules/migrate_drupal/src/Plugin/migrate/source/ContentEntity.php @@ -257,7 +257,7 @@ public function count($refresh = FALSE) { * {@inheritdoc} */ protected function doCount() { - return $this->query()->count()->execute(); + return $this->query()->count()->accessCheck(TRUE)->execute(); } /** diff --git a/core/modules/migrate_drupal_ui/tests/src/Functional/MigrateUpgradeTestBase.php b/core/modules/migrate_drupal_ui/tests/src/Functional/MigrateUpgradeTestBase.php index df5f4230ed..036a02a6d4 100644 --- a/core/modules/migrate_drupal_ui/tests/src/Functional/MigrateUpgradeTestBase.php +++ b/core/modules/migrate_drupal_ui/tests/src/Functional/MigrateUpgradeTestBase.php @@ -253,7 +253,7 @@ protected function assertUpgrade(array $entity_counts) { // Assert the correct number of entities exists. $actual_entity_counts = []; foreach ($entity_definitions as $entity_type) { - $actual_entity_counts[$entity_type] = (int) \Drupal::entityQuery($entity_type)->accessCheck(FALSE)->count()->execute(); + $actual_entity_counts[$entity_type] = (int) \Drupal::entityQuery($entity_type)->count()->accessCheck(FALSE)->execute(); } $this->assertSame($entity_counts, $actual_entity_counts); diff --git a/core/modules/node/node.module b/core/modules/node/node.module index e42f548422..7782372f5f 100644 --- a/core/modules/node/node.module +++ b/core/modules/node/node.module @@ -586,9 +586,9 @@ function node_cron() { $min_alias = 'min_created'; $max_alias = 'max_created'; $result = \Drupal::entityQueryAggregate('node') - ->accessCheck(FALSE) ->aggregate('created', 'MIN', NULL, $min_alias) ->aggregate('created', 'MAX', NULL, $max_alias) + ->accessCheck(FALSE) ->execute(); if (isset($result[0])) { // Make an array with definite keys and store it in the state system. @@ -718,6 +718,7 @@ function node_get_recent($number = 10) { } } $nids = $query + ->accessCheck(TRUE) ->sort('changed', 'DESC') ->range(0, $number) ->addTag('node_access') @@ -1093,8 +1094,7 @@ function node_access_rebuild($batch_mode = FALSE) { // user does not have access. And unless the current user has the bypass // node access permission, no nodes are accessible since the grants have // just been deleted. - $entity_query->accessCheck(FALSE); - $nids = $entity_query->execute(); + $nids = $entity_query->accessCheck(FALSE)->execute(); foreach ($nids as $nid) { $node_storage->resetCache([$nid]); $node = Node::load($nid); @@ -1148,8 +1148,8 @@ function _node_access_rebuild_batch_operation(&$context) { // user does not have access. And unless the current user has the bypass // node access permission, no nodes are accessible since the grants have // just been deleted. - ->accessCheck(FALSE) ->range(0, $limit) + ->accessCheck(FALSE) ->execute(); $node_storage->resetCache($nids); $nodes = Node::loadMultiple($nids); diff --git a/core/modules/search/src/Form/SearchPageFormBase.php b/core/modules/search/src/Form/SearchPageFormBase.php index a0df9cbee0..ce20171f44 100644 --- a/core/modules/search/src/Form/SearchPageFormBase.php +++ b/core/modules/search/src/Form/SearchPageFormBase.php @@ -120,6 +120,7 @@ public function form(array $form, FormStateInterface $form_state) { */ public function exists($id) { $entity = $this->entityTypeManager->getStorage('search_page')->getQuery() + ->accessCheck(TRUE) ->condition('id', $id) ->execute(); return (bool) $entity; @@ -133,6 +134,7 @@ public function validateForm(array &$form, FormStateInterface $form_state) { // Ensure each path is unique. $path = $this->entityTypeManager->getStorage('search_page')->getQuery() + ->accessCheck(TRUE) ->condition('path', $form_state->getValue('path')) ->condition('id', $form_state->getValue('id'), '<>') ->execute(); diff --git a/core/modules/shortcut/src/Form/SwitchShortcutSet.php b/core/modules/shortcut/src/Form/SwitchShortcutSet.php index 2ee852b91d..6759559e6a 100644 --- a/core/modules/shortcut/src/Form/SwitchShortcutSet.php +++ b/core/modules/shortcut/src/Form/SwitchShortcutSet.php @@ -150,6 +150,7 @@ public function buildForm(array $form, FormStateInterface $form_state, UserInter */ public function exists($id) { return (bool) $this->shortcutSetStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', $id) ->execute(); } diff --git a/core/modules/system/src/Form/DateFormatFormBase.php b/core/modules/system/src/Form/DateFormatFormBase.php index ba51c2920e..889ebe5cb9 100644 --- a/core/modules/system/src/Form/DateFormatFormBase.php +++ b/core/modules/system/src/Form/DateFormatFormBase.php @@ -65,6 +65,7 @@ public static function create(ContainerInterface $container) { public function exists($entity_id, array $element) { return (bool) $this->dateFormatStorage ->getQuery() + ->accessCheck(TRUE) ->condition('id', $element['#field_prefix'] . $entity_id) ->execute(); } diff --git a/core/modules/tour/tour.module b/core/modules/tour/tour.module index e6bbd2ae63..7116b3812b 100644 --- a/core/modules/tour/tour.module +++ b/core/modules/tour/tour.module @@ -84,6 +84,7 @@ function tour_page_bottom(array &$page_bottom) { $route_name = $route_match->getRouteName(); $results = \Drupal::entityQuery('tour') + ->accessCheck(TRUE) ->condition('routes.*.route_name', $route_name) ->execute(); if (!empty($results) && $tours = Tour::loadMultiple(array_keys($results))) { diff --git a/core/modules/user/src/Form/RoleSettingsForm.php b/core/modules/user/src/Form/RoleSettingsForm.php index ecf6836fc3..add938931d 100644 --- a/core/modules/user/src/Form/RoleSettingsForm.php +++ b/core/modules/user/src/Form/RoleSettingsForm.php @@ -61,6 +61,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { $roles = user_role_names(TRUE); unset($roles[RoleInterface::AUTHENTICATED_ID]); $admin_roles = $this->roleStorage->getQuery() + ->accessCheck(TRUE) ->condition('is_admin', TRUE) ->execute(); $default_value = reset($admin_roles); @@ -91,6 +92,7 @@ public function buildForm(array $form, FormStateInterface $form_state) { public function submitForm(array &$form, FormStateInterface $form_state) { if ($form_state->hasValue('user_admin_role')) { $admin_roles = $this->roleStorage->getQuery() + ->accessCheck(TRUE) ->condition('is_admin', TRUE) ->execute(); foreach ($admin_roles as $rid) { diff --git a/core/modules/views/src/Plugin/views/field/RenderedEntity.php b/core/modules/views/src/Plugin/views/field/RenderedEntity.php index d4429a5cfa..fbd327fc2d 100644 --- a/core/modules/views/src/Plugin/views/field/RenderedEntity.php +++ b/core/modules/views/src/Plugin/views/field/RenderedEntity.php @@ -156,6 +156,7 @@ public function getCacheTags() { $view_display_storage = $this->entityTypeManager->getStorage('entity_view_display'); $view_displays = $view_display_storage->loadMultiple($view_display_storage ->getQuery() + ->accessCheck(TRUE) ->condition('targetEntityType', $this->getEntityTypeId()) ->execute()); diff --git a/core/modules/views/src/Views.php b/core/modules/views/src/Views.php index 33ec07304a..9398305cd2 100644 --- a/core/modules/views/src/Views.php +++ b/core/modules/views/src/Views.php @@ -218,6 +218,7 @@ public static function getApplicableViews($type) { $entity_ids = \Drupal::entityQuery('view') ->condition('status', TRUE) ->condition("display.*.display_plugin", $plugin_ids, 'IN') + ->accessCheck(TRUE) ->execute(); $result = []; @@ -256,6 +257,7 @@ public static function getAllViews() { public static function getEnabledViews() { $query = \Drupal::entityQuery('view') ->condition('status', TRUE) + ->accessCheck(TRUE) ->execute(); return \Drupal::entityTypeManager()->getStorage('view')->loadMultiple($query); @@ -270,6 +272,7 @@ public static function getEnabledViews() { public static function getDisabledViews() { $query = \Drupal::entityQuery('view') ->condition('status', FALSE) + ->accessCheck(TRUE) ->execute(); return \Drupal::entityTypeManager()->getStorage('view')->loadMultiple($query); diff --git a/core/modules/views/tests/src/Unit/ViewsTest.php b/core/modules/views/tests/src/Unit/ViewsTest.php index 5eb36e4c0d..d23b92bc05 100644 --- a/core/modules/views/tests/src/Unit/ViewsTest.php +++ b/core/modules/views/tests/src/Unit/ViewsTest.php @@ -151,6 +151,10 @@ public function testGetApplicableViews($applicable_type, $expected) { ], 'view'); $query = $this->createMock('Drupal\Core\Entity\Query\QueryInterface'); + $query->expects($this->once()) + ->method('accessCheck') + ->with(TRUE) + ->willReturnSelf(); $query->expects($this->exactly(2)) ->method('condition') ->willReturnSelf(); diff --git a/core/modules/workflows/src/Entity/Workflow.php b/core/modules/workflows/src/Entity/Workflow.php index 3c7b06bcc9..2821adc702 100644 --- a/core/modules/workflows/src/Entity/Workflow.php +++ b/core/modules/workflows/src/Entity/Workflow.php @@ -154,7 +154,11 @@ protected function getPluginCollection() { * @see \Drupal\workflows\Annotation\WorkflowType */ public static function loadMultipleByType($type) { - return self::loadMultiple(\Drupal::entityQuery('workflow')->condition('type', $type)->execute()); + return self::loadMultiple(\Drupal::entityQuery('workflow') + ->accessCheck(TRUE) + ->condition('type', $type) + ->execute() + ); } /** diff --git a/core/modules/workspaces/tests/src/Kernel/WorkspaceIntegrationTest.php b/core/modules/workspaces/tests/src/Kernel/WorkspaceIntegrationTest.php index 99e5ddd54c..ebdafdbf31 100644 --- a/core/modules/workspaces/tests/src/Kernel/WorkspaceIntegrationTest.php +++ b/core/modules/workspaces/tests/src/Kernel/WorkspaceIntegrationTest.php @@ -934,7 +934,7 @@ protected function assertEntityQuery(array $expected_values, string $entity_type $result = (int) $storage->getQuery()->accessCheck(FALSE)->count()->execute(); $this->assertSame(count($expected_default_revisions), $result); - $result = (int) $storage->getAggregateQuery()->accessCheck(FALSE)->count()->execute(); + $result = (int) $storage->getAggregateQuery()->count()->accessCheck(FALSE)->execute(); $this->assertSame(count($expected_default_revisions), $result); // Check entity queries with no conditions. diff --git a/core/modules/workspaces/workspaces.install b/core/modules/workspaces/workspaces.install index 2c37233f92..1835d41628 100644 --- a/core/modules/workspaces/workspaces.install +++ b/core/modules/workspaces/workspaces.install @@ -54,6 +54,7 @@ function workspaces_install() { // 'administrator' role. This way we avoid hard coding user ID 1 for sites // that prefer to not give it any special meaning. $admin_roles = \Drupal::entityTypeManager()->getStorage('user_role')->getQuery() + ->accessCheck(TRUE) ->condition('is_admin', TRUE) ->execute(); if (!empty($admin_roles)) { diff --git a/core/phpstan.neon.dist b/core/phpstan.neon.dist index 881dd8f4e9..abd9350add 100644 --- a/core/phpstan.neon.dist +++ b/core/phpstan.neon.dist @@ -36,7 +36,3 @@ parameters: - "#^Missing cache backend declaration for performance.#" - "#cache tag might be unclear and does not contain the cache key in it.#" - "#^Class .* extends @internal class#" - - # This check was ignored on purpose until the issues with it, which started in version 1.1.15, are solved. - # @see https://www.drupal.org/node/3280328 - - "#^Missing explicit access check on entity query.#" diff --git a/core/tests/Drupal/KernelTests/Core/Entity/ConfigEntityQueryTest.php b/core/tests/Drupal/KernelTests/Core/Entity/ConfigEntityQueryTest.php index f8f329613e..c6a334ce83 100644 --- a/core/tests/Drupal/KernelTests/Core/Entity/ConfigEntityQueryTest.php +++ b/core/tests/Drupal/KernelTests/Core/Entity/ConfigEntityQueryTest.php @@ -155,72 +155,84 @@ public function testConfigEntityQuery() { // Filter by ID with equality. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '3') ->execute(); $this->assertResults(['3']); // Filter by label with a known prefix. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test_prefix', 'STARTS_WITH') ->execute(); $this->assertResults(['3']); // Filter by label with a known suffix. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test_suffix', 'ENDS_WITH') ->execute(); $this->assertResults(['4']); // Filter by label with a known containing word. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test_contains', 'CONTAINS') ->execute(); $this->assertResults(['5']); // Filter by ID with the IN operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', ['2', '3'], 'IN') ->execute(); $this->assertResults(['2', '3']); // Filter by ID with the implicit IN operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', ['2', '3']) ->execute(); $this->assertResults(['2', '3']); // Filter by ID with the > operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '3', '>') ->execute(); $this->assertResults(['4', '5', '6', '7']); // Filter by ID with the >= operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '3', '>=') ->execute(); $this->assertResults(['3', '4', '5', '6', '7']); // Filter by ID with the <> operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '3', '<>') ->execute(); $this->assertResults(['1', '2', '4', '5', '6', '7']); // Filter by ID with the < operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '3', '<') ->execute(); $this->assertResults(['1', '2']); // Filter by ID with the <= operator. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '3', '<=') ->execute(); $this->assertResults(['1', '2', '3']); // Filter by two conditions on the same field. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test_pref', 'STARTS_WITH') ->condition('label', 'test_prefix', 'STARTS_WITH') ->execute(); @@ -229,6 +241,7 @@ public function testConfigEntityQuery() { // Filter by two conditions on different fields. The first query matches for // a different ID, so the result is empty. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test_prefix', 'STARTS_WITH') ->condition('id', '5') ->execute(); @@ -237,6 +250,7 @@ public function testConfigEntityQuery() { // Filter by two different conditions on different fields. This time the // first condition matches on one item, but the second one does as well. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test_prefix', 'STARTS_WITH') ->condition('id', '3') ->execute(); @@ -246,6 +260,7 @@ public function testConfigEntityQuery() { // every entry, the second one as well, but just the third one filters so // that just two are left. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', '1', '>=') ->condition('number', 10, '>=') ->condition('number', 50, '>=') @@ -254,6 +269,7 @@ public function testConfigEntityQuery() { // Filter with an OR condition group. $this->queryResults = $this->entityStorage->getQuery('OR') + ->accessCheck(TRUE) ->condition('id', 1) ->condition('id', '2') ->execute(); @@ -261,22 +277,26 @@ public function testConfigEntityQuery() { // Simplify it with IN. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', ['1', '2']) ->execute(); $this->assertResults(['1', '2']); // Try explicit IN. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', ['1', '2'], 'IN') ->execute(); $this->assertResults(['1', '2']); // Try not IN. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', ['1', '2'], 'NOT IN') ->execute(); $this->assertResults(['3', '4', '5', '6', '7']); // Filter with an OR condition group on different fields. $this->queryResults = $this->entityStorage->getQuery('OR') + ->accessCheck(TRUE) ->condition('id', 1) ->condition('number', 41) ->execute(); @@ -285,6 +305,7 @@ public function testConfigEntityQuery() { // Filter with an OR condition group on different fields but matching on the // same entity. $this->queryResults = $this->entityStorage->getQuery('OR') + ->accessCheck(TRUE) ->condition('id', 1) ->condition('number', 31) ->execute(); @@ -299,6 +320,7 @@ public function testConfigEntityQuery() { ->condition('id', 1) ->condition('label', $this->entities[3]->label); $this->queryResults = $query + ->accessCheck(TRUE) ->condition($and_condition_1) ->condition($and_condition_2) ->execute(); @@ -313,6 +335,7 @@ public function testConfigEntityQuery() { ->condition('id', '2') ->condition('label', $this->entities[1]->label); $this->queryResults = $query + ->accessCheck(TRUE) ->condition($and_condition_1) ->condition($and_condition_2) ->execute(); @@ -327,6 +350,7 @@ public function testConfigEntityQuery() { ->condition('id', 1) ->condition('label', $this->entities[3]->label); $this->queryResults = $query + ->accessCheck(TRUE) ->condition('number', 31) ->condition($and_condition_1) ->condition($and_condition_2) @@ -342,6 +366,7 @@ public function testConfigEntityQuery() { ->condition('id', 1) ->condition('label', $this->entities[3]->label); $this->queryResults = $query + ->accessCheck(TRUE) ->condition('number', 53) ->condition($and_condition_1) ->condition($and_condition_2) @@ -350,21 +375,25 @@ public function testConfigEntityQuery() { // Test the exists and notExists conditions. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->exists('id') ->execute(); $this->assertResults(['1', '2', '3', '4', '5', '6', '7']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->exists('non-existent') ->execute(); $this->assertResults([]); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->notExists('id') ->execute(); $this->assertResults([]); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->notExists('non-existent') ->execute(); $this->assertResults(['1', '2', '3', '4', '5', '6', '7']); @@ -385,14 +414,17 @@ public function testStringIdConditions() { // Test 'STARTS_WITH' condition. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'foo.bar', 'STARTS_WITH') ->execute(); $this->assertResults(['foo.bar']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'f', 'STARTS_WITH') ->execute(); $this->assertResults(['foo.bar']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'miss', 'STARTS_WITH') ->execute(); $this->assertResults([]); @@ -403,24 +435,29 @@ public function testStringIdConditions() { ->execute(); $this->assertResults(['foo.bar']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'oo.ba', 'CONTAINS') ->execute(); $this->assertResults(['foo.bar']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'miss', 'CONTAINS') ->execute(); $this->assertResults([]); // Test 'ENDS_WITH' condition. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'foo.bar', 'ENDS_WITH') ->execute(); $this->assertResults(['foo.bar']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'r', 'ENDS_WITH') ->execute(); $this->assertResults(['foo.bar']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('id', 'miss', 'ENDS_WITH') ->execute(); $this->assertResults([]); @@ -433,6 +470,7 @@ public function testCount() { // Test count on no conditions. $count = $this->entityStorage->getQuery() ->count() + ->accessCheck(TRUE) ->execute(); $this->assertCount($count, $this->entities); @@ -447,6 +485,7 @@ public function testCount() { $count = $query ->condition($and_condition_1) ->condition($and_condition_2) + ->accessCheck(TRUE) ->count() ->execute(); $this->assertSame(2, $count); @@ -459,11 +498,13 @@ public function testSortRange() { // Sort by simple ascending/descending. $this->queryResults = $this->entityStorage->getQuery() ->sort('number', 'DESC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['7', '3', '5', '2', '1', '4', '6'], array_values($this->queryResults)); $this->queryResults = $this->entityStorage->getQuery() ->sort('number', 'ASC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['6', '4', '1', '2', '5', '3', '7'], array_values($this->queryResults)); @@ -471,12 +512,14 @@ public function testSortRange() { $this->queryResults = $this->entityStorage->getQuery() ->condition('id', '3', '>') ->sort('number', 'DESC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['7', '5', '4', '6'], array_values($this->queryResults)); $this->queryResults = $this->entityStorage->getQuery() ->condition('id', '3', '>') ->sort('number', 'ASC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['6', '4', '5', '7'], array_values($this->queryResults)); @@ -484,12 +527,14 @@ public function testSortRange() { $this->queryResults = $this->entityStorage->getQuery() ->sort('number', 'DESC') ->range('2', '2') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['5', '2'], array_values($this->queryResults)); $this->queryResults = $this->entityStorage->getQuery() ->sort('number', 'ASC') ->range('2', '2') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['1', '2'], array_values($this->queryResults)); @@ -497,6 +542,7 @@ public function testSortRange() { $this->queryResults = $this->entityStorage->getQuery() ->range(0, '3') ->sort('id', 'ASC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['1', '2', '3'], array_values($this->queryResults)); @@ -504,6 +550,7 @@ public function testSortRange() { $this->queryResults = $this->entityStorage->getQuery() ->pager('4', 0) ->sort('id', 'ASC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['1', '2', '3', '4'], array_values($this->queryResults)); } @@ -522,6 +569,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('id', 'DESC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['7', '6', '5', '4', '3', '2', '1'], array_values($this->queryResults)); @@ -529,6 +577,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('id', 'ASC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['1', '2', '3', '4', '5', '6', '7'], array_values($this->queryResults)); @@ -536,6 +585,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('id', 'desc') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['7', '6', '5', '4', '3', '2', '1'], array_values($this->queryResults)); @@ -543,6 +593,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('id', 'asc') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['1', '2', '3', '4', '5', '6', '7'], array_values($this->queryResults)); @@ -551,6 +602,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('number', 'DeSc') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['7', '3', '5', '2', '1', '4', '6'], array_values($this->queryResults)); @@ -558,6 +610,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('number', 'AsC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['6', '4', '1', '2', '5', '3', '7'], array_values($this->queryResults)); @@ -565,6 +618,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('number', 'dEsC') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['7', '3', '5', '2', '1', '4', '6'], array_values($this->queryResults)); @@ -572,6 +626,7 @@ public function testTableSort() { $this->queryResults = $this->entityStorage->getQuery() ->tableSort($header) ->sort('number', 'aSc') + ->accessCheck(TRUE) ->execute(); $this->assertSame(['6', '4', '1', '2', '5', '3', '7'], array_values($this->queryResults)); } @@ -581,70 +636,85 @@ public function testTableSort() { */ public function testDotted() { $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('array.level1.*', 1) ->execute(); $this->assertResults(['1', '3']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('*.level1.level2', 2) ->execute(); $this->assertResults(['2', '4']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('array.level1.*', 3) ->execute(); $this->assertResults(['5']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('array.level1.level2', 3) ->execute(); $this->assertResults(['5']); // Test dotted sorting. $this->queryResults = $this->entityStorage->getQuery() ->sort('array.level1.level2') + ->accessCheck(TRUE) ->execute(); $this->assertResults(['6', '1', '3', '2', '4', '5', '7']); $this->queryResults = $this->entityStorage->getQuery() ->sort('array.level1.level2', 'DESC') + ->accessCheck(TRUE) ->execute(); $this->assertResults(['7', '5', '2', '4', '1', '3', '6']); // Make sure that values on the wildcard level do not match if there are // sub-keys defined. This must not find anything even if entity 2 has a // top-level key number with value 41. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('*.level1.level2', 41) ->execute(); $this->assertResults([]); // Make sure that "IS NULL" and "IS NOT NULL" work correctly with // array-valued fields/keys. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->exists('array.level1.level2') ->execute(); $this->assertResults(['1', '2', '3', '4', '5', '7']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->exists('array.level1') ->execute(); $this->assertResults(['1', '2', '3', '4', '5', '6', '7']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->exists('array') ->execute(); $this->assertResults(['1', '2', '3', '4', '5', '6', '7']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->notExists('array.level1.level2') ->execute(); $this->assertResults(['6']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->notExists('array.level1') ->execute(); $this->assertResults([]); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->notExists('array') ->execute(); $this->assertResults([]); // Make sure that "IS NULL" and "IS NOT NULL" work correctly when the dotted // path cannot be fully followed. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->exists('does.not.exist') ->execute(); $this->assertResults([]); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->notExists('does.not.exist') ->execute(); $this->assertResults(['1', '2', '3', '4', '5', '6', '7']); @@ -656,11 +726,13 @@ public function testDotted() { public function testCaseSensitivity() { // Filter by label with a known containing case-sensitive word. $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'TEST', 'CONTAINS') ->execute(); $this->assertResults(['3', '4', '5']); $this->queryResults = $this->entityStorage->getQuery() + ->accessCheck(TRUE) ->condition('label', 'test', 'CONTAINS') ->execute(); $this->assertResults(['3', '4', '5']); diff --git a/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php b/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php index 64da52d11a..891c997e3b 100644 --- a/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php +++ b/core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php @@ -303,15 +303,15 @@ public function testCheckNodeAccess() { ]); $query = $this->createMock('Drupal\Core\Entity\Query\QueryInterface'); - $query->expects($this->once()) - ->method('accessCheck') - ->with(TRUE); $query->expects($this->exactly(2)) ->method('condition') ->withConsecutive( ['nid', [1, 2, 3, 4]], ['status', NodeInterface::PUBLISHED], ); + $query->expects($this->once()) + ->method('accessCheck') + ->with(TRUE); $query->expects($this->once()) ->method('execute') ->willReturn([1, 2, 4]);