Document that field_access() does no entity access checks

This should get the issue a little more visibility, and it affects Drupal 8 too so here's a patch.

That seems like good documentation.... clear and concise. Can someone verify its accuracy?

Looks good, the main entry point for this is probably something like $entity->field->access(), which is on FieldItemList, which directly implements AccessibleInterface. Should we add this to FieldItemList or so as well, or in a more general way to AcccessibleInterface? Note that that interface is implemented both by entities and by fields.

Yes, if there are methods on those other interfaces that need documentation that people writing classes implementing the interfaces would need to know, it should be added there too. Until that is determined... I guess I'll go ahead and mark this RTBC, since it is a good patch and apparently accurate... If anyone has specific suggestions of where the additional docs should be added to other interfaces, you can either set back to "needs work" and explain, or we can file a separate issue. Thanks!

Just to play devil's advocate, is there a reason we don't build in entity access checking so the method works as people would expect..?

Because the 90%+ use case for checking field access is when you already know that the user has access to the entity, and you usually check all the fields, when an entity is viewed/edited/requested on REST or so. Then you loop over all fields and check access and it would be overhead to check access to the entity every time.

Needs reroll apparently...

Looks like the patch in #2 has already been committed to 8.x: it doesn't apply in tests because it is there!

It looks like it was committed by webchick:
http://cgit.drupalcode.org/drupal/commit/core/lib/Drupal/Core/Entity/Ent...

For whatever reason, she didn't update the issue and the auto-message didn't either.

Attached Patch for D7. Please review.

@klausi, Thanks for your valuable suggestion. Please review updated patch.

Um.... I don't think we should be referring to calling a function in a contrib module here.

Also, the grammar/punctuation here is not quite right:

+ * entity access is also respected, for example with the nodes, check
+ * node_access() before checking field_access() and with the Entity API
+ * contributed module check entity_access() before checking field_access().
+ *

This should say "... respected. For example, when checking field access for nodes, check node_access() before checking field_access()." and then leave off the part about the Entity API module.

I don't see a problem with that as long as it's explicitly mentioned. Entity API is a top 10 module and the standard for almost any entity type and entity integration in contrib and it's the base for what we have in Drupal 8.

OK. Please make it into 2 sentences, using grammar like in #17 then.

Did changes in this patch as mentioned in #17, #18 and #19. Please review.

Minor fix,

For Example -> For example

If we are going to mention a function that is part of the Entity API contrib module (not Drupal Core), like entity_access(), then we absolutely need to mention the Entity API contrib module. So in that second part:

 * nodes, check node_access() before checking field_access() and when checking
+ * field access for entities, check entity_access() before checking
+ * field_access().

should be:
... before checking field_access(), and when checking field access for entities using the Entity API contributed module, check entity_access()...

(also note the comma before "and")

Sorry for the confusion!

Please review updated patch with fixes in #22.

Oh, one more thing: At the beginning it says "This method...". It's a function, not a method.

Other than that, looks good, thanks!

Fixed! Please review.

That looks fine to me now, thanks!

Resetting this back to RTBC.

Thanks again! Committed to 7.x.