Seen and hunted down in #2218119: Only one billing or shipping address shown in address book tab for authentificated user, how to reproduce:

* Want to see all commerce_foo that join to NO commerce_bar
* Create a query of some commerce_foo object, join some commerce_bar object
* filter comerce_bar for null values

Result: Non-admin with "view own commerce_bar" but not "administer commerce_bar" does not see any rows
Expected: Sees some rows.

Background: commerce_entity_access_query_alter() adds condition "commerce_bar.uid=current-user":

  // If the given entity type has a user ownership key...
  if (!empty($entity_info['access arguments']['user key'])) {
    // Perform 'view own' access control for the entity in the query if the user
    // is authenticated.
    if ($account->uid && user_access('view own ' . $entity_type . ' entities', $account)) {
      $conditions->condition($base_table . '.' . $entity_info['access arguments']['user key'], $account->uid);
    }
  }

It should add: "commerce_bar.uid=current-user OR commerce_bar.uid=NULL"
(This also applies to the other conditions that are added in this function above that code.)

CommentFileSizeAuthor
#4 commerce-2238733-4-NULL-queries-break-entity-query-access.patch2.07 KBgeek-merlin

Comments

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Issue summary: View changes
rszrama’s picture

rszrama commented

Are you sure that change wouldn't generate false positives; is there no other reason that a commerce_[entity] table's uid column might be NULL?

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented

i thought about this. all the entities that are governed by commerce_entity_access (like orders and customer profiles) have a not-null restriction on uid field. so if there were an entity with optional uid it should not be passed to commerce_entity_access in the first place.

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Status: Active » Needs review
StatusFileSize
new commerce-2238733-4-NULL-queries-break-entity-query-access.patch2.07 KB

Correcting myself:
> It should add: "commerce_bar.uid=current-user OR commerce_bar.uid=NULL"

Of course it should add (with ID the entity-id) which addresses #2 without further asumptins:
It should add: "commerce_bar.uid=current-user OR commerce_bar.ID IS NULL"

Patch flying in to feed the bot.

Status: Needs review » Needs work

The last submitted patch, 4: commerce-2238733-4-NULL-queries-break-entity-query-access.patch, failed testing.

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented

All order tests CommerceOrderUIAdminTest fail reproducibly?

Status: Needs work » Needs review

axel.rutz queued 4: commerce-2238733-4-NULL-queries-break-entity-query-access.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 4: commerce-2238733-4-NULL-queries-break-entity-query-access.patch, failed testing.