Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In EntityListBuilder::render(), the list builder does not check if the caller has 'view' permission to the entity in each row before it calls buildRow().
This results in users seeing entities listed that they do not otherwise have permission to view.
Comments
Comment #5
larowlanIf you were to add an access filter at that point, it would mess with the pager.
I think the more appropriate approach would be to modify the query method to filter out at that point.
Comment #6
darvanen\Drupal\Core\Entity\EntityListBuilder::getEntityIds has an access check in it.
::render uses that method to fetch the entities to pass to buildRow. I do not think there is a bug here.
Comment #10
quietone CreditAttribution: quietone at PreviousNext commentedI read \Drupal\Core\Entity\EntityListBuilder to check what is said in #6.
The render method calls load which in turn calls getEntityIds. And it is that method that we find the access checking. It was added in April 2021 #3204419: EntityQuery accessCheck: always specifiy accessCheck, don't rely on the default.
I agree with #6 that there is no bug here. I am closing this as outdated. If that is wrong, reopen the issue, by setting the status to 'Active', and add a comment
Thanks