Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By star-szr on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.x, 7.x
Introduced in version:
7.15
Issue links:
Description:
A DANGEROUS_ACCESS_CHECK_OPT_OUT
query tag has been added to EntityFieldQuery
to allow bypassing access checks. Previously, queries executed through EntityFieldQuery
would always be altered by the node access system, potentially causing unexpected behaviour and data loss.
If you need to bypass access checks in an internal query within your module's API, you may add this tag, but you should only do so if it is necessary. If this query tag is added to a query whose results will be displayed to the user, it will bypass all access checks, potentially exposing sensitive information.
function MYMODULE_field_query($field) {
$query = new EntityFieldQuery();
return $query
->fieldCondition($field)
->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT')
->execute();
}
Impacts:
Module developers
Comments
Drupal 8 Implementation
In Drupal 8 the same thing can be achieved by using
$query->accessCheck(FALSE);