The field_access() function only checks field permissions - not entity permissions. So, field_access('edit', ...)
can return TRUE even if the user doesn't have access to edit the entity.
This means that contrib modules are supposed to check entity access (for example with the Entity API contrib module's entity_access()
) before checking field_access()
, however, this is very easy to overlook (and most users assume it isn't necessary) leading to at least one highly critical security vulnerability in contrib.
Proposed solution: improve the API docs of the field_access() function to clearly state that it will not take entity access into account. The caller must make sure beforehand that entity access is respected.
Comment | File | Size | Author |
---|---|---|---|
#25 | drupal7-document-field-entity-access-2267411-25.patch | 824 bytes | er.pushpinderrana |
#25 | interdiff-2267411-23-25.txt | 681 bytes | er.pushpinderrana |
#2 | document-field-entity-access-2267411-1.patch | 1.4 KB | David_Rothstein |
Comments
Comment #1
klausiComment #2
David_Rothstein CreditAttribution: David_Rothstein commentedThis should get the issue a little more visibility, and it affects Drupal 8 too so here's a patch.
Comment #3
jhodgdonThat seems like good documentation.... clear and concise. Can someone verify its accuracy?
Comment #4
BerdirLooks good, the main entry point for this is probably something like $entity->field->access(), which is on FieldItemList, which directly implements AccessibleInterface. Should we add this to FieldItemList or so as well, or in a more general way to AcccessibleInterface? Note that that interface is implemented both by entities and by fields.
Comment #5
jhodgdonYes, if there are methods on those other interfaces that need documentation that people writing classes implementing the interfaces would need to know, it should be added there too. Until that is determined... I guess I'll go ahead and mark this RTBC, since it is a good patch and apparently accurate... If anyone has specific suggestions of where the additional docs should be added to other interfaces, you can either set back to "needs work" and explain, or we can file a separate issue. Thanks!
Comment #6
webchickJust to play devil's advocate, is there a reason we don't build in entity access checking so the method works as people would expect..?
Comment #7
BerdirBecause the 90%+ use case for checking field access is when you already know that the user has access to the entity, and you usually check all the fields, when an entity is viewed/edited/requested on REST or so. Then you loop over all fields and check access and it would be overhead to check access to the entity every time.
Comment #9
jhodgdonNeeds reroll apparently...
Comment #10
JacobSanfordLooks like the patch in #2 has already been committed to 8.x: it doesn't apply in tests because it is there!
Comment #11
jhodgdonIt looks like it was committed by webchick:
http://cgit.drupalcode.org/drupal/commit/core/lib/Drupal/Core/Entity/Ent...
For whatever reason, she didn't update the issue and the auto-message didn't either.
Comment #12
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedAttached Patch for D7. Please review.
Comment #15
klausiThe example should be node_access() first for nodes (which is in core) and entity_access() second with the reference to the Entity API module.
Comment #16
er.pushpinderrana CreditAttribution: er.pushpinderrana commented@klausi, Thanks for your valuable suggestion. Please review updated patch.
Comment #17
jhodgdonUm.... I don't think we should be referring to calling a function in a contrib module here.
Also, the grammar/punctuation here is not quite right:
This should say "... respected. For example, when checking field access for nodes, check node_access() before checking field_access()." and then leave off the part about the Entity API module.
Comment #18
BerdirI don't see a problem with that as long as it's explicitly mentioned. Entity API is a top 10 module and the standard for almost any entity type and entity integration in contrib and it's the base for what we have in Drupal 8.
Comment #19
jhodgdonOK. Please make it into 2 sentences, using grammar like in #17 then.
Comment #20
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedDid changes in this patch as mentioned in #17, #18 and #19. Please review.
Comment #21
amitgoyal CreditAttribution: amitgoyal commentedMinor fix,
For Example -> For example
Comment #22
jhodgdonIf we are going to mention a function that is part of the Entity API contrib module (not Drupal Core), like entity_access(), then we absolutely need to mention the Entity API contrib module. So in that second part:
should be:
... before checking field_access(), and when checking field access for entities using the Entity API contributed module, check entity_access()...
(also note the comma before "and")
Sorry for the confusion!
Comment #23
amitgoyal CreditAttribution: amitgoyal commentedPlease review updated patch with fixes in #22.
Comment #24
jhodgdonOh, one more thing: At the beginning it says "This method...". It's a function, not a method.
Other than that, looks good, thanks!
Comment #25
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedFixed! Please review.
Comment #26
jhodgdonThat looks fine to me now, thanks!
Comment #29
dcam CreditAttribution: dcam commentedResetting this back to RTBC.
Comment #30
jhodgdonThanks again! Committed to 7.x.