Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.See parent issue #3200985: [meta] Fix undesirable access checking on entity query usages for context and test coverage policy.
The user_is_blocked() function should report accurately on the user's status regardless of whether the current user has 'view' access on the user.
core/modules/user/user.module user_is_blocked
Issue fork drupal-3203366
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
jonathanshawMajor because it blocks #2785449: It's too easy to write entity queries with access checks that must not have them
Comment #3
jonathanshawThere is no existing test coverage for this function, the usages of it in core do not lead to data integrity problems even with the bug, and you'd need to be doing something very custom to encounter this. Therefore I suggest that under the test coverage policy in the parent issue, we don't add a test here.
Comment #5
longwaveAgree with everything in #3.
Comment #6
alexpottCommitted and pushed cc9a7d8604 to 9.2.x and 661c73b35e to 9.1.x. Thanks!
I agree that trying to tease out test coverage here is not worth it and we can allow this to be committed without it. Especially as do hook_query_user_access_alter is not even present in contrib - http://codcontrib.hank.vps-private.net/search?text=query_user_access_alt...