It seems to still be possible to retrieve nodes using EFQ even w/o "Node: Basic page: Read entities using JavaScript" permission when not specifying an entityCondition('bundle', 'page'). Patch attached that alters the result after the query has been executed.

Also, not sure if I am understanding it correctly but EFQ docs says that "It is not possible to query across multiple entity types." so I guess result would always be just 1 entity type? I've removed the foreach ($results as ... in this patch.

CommentFileSizeAuthor
restrict-efq-bundle-level.patch5.64 KBdsdeiz
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

saltednut’s picture

saltednut
she/her
Primary language English
Location Chicago
CreditAttribution: saltednut commented
Status: Needs review » Closed (fixed)

Patch applies clean. I definitely overlooked the single entity type portion of the EFQ docs! This definitely makes things less complicated.

I suppose just running the EFQ and then checking access for the output is acceptable. It definitely cleans things up a lot from a code-reading perspective.

Passes tests and my manual code review. Excellent work. Committed!

http://drupalcode.org/project/entity_js.git/commit/02a6737

saltednut’s picture

saltednut
she/her
Primary language English
Location Chicago
CreditAttribution: saltednut commented
Issue summary: View changes

Veryyyy minor typo :D