We need to get the SA-CORE-2011-002 changes into D8.
Here's the patch from chx.
To summarize a great deal of discussion, basically taxonomy listings were not respecting node access because the queries did not specify a $query->addMetaData('base_table', 'taxonomy_index');. This new requirement has been posted at http://drupal.org/node/1204572. However, to care for existing contrib modules, a fallback mechanism was put in place which attempts to guess the base table if it's not specified.
I don't think the fallback mechanism makes any sense in D8. Not sure if we should just commit this and keep iterating on it, or if we want to come up with a new patch. Let's discuss!
- #44 Address: Sounds like we should throw an exception if a table is specified that doesn't exist? Right now it seems that we ignore it silently in that case?
FAILED: [[SimpleTest]]: [MySQL] 54,250 pass(es), 3 fail(s), and 0 exception(s). View
PASSED: [[SimpleTest]]: [MySQL] 55,911 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 54,048 pass(es). View
FAILED: [[SimpleTest]]: [MySQL] 53,985 pass(es), 1 fail(s), and 0 exception(s). View