In EntityListBuilder::render(), the list builder does not check if the caller has 'view' permission to the entity in each row before it calls buildRow().

This results in users seeing entities listed that they do not otherwise have permission to view.

Comments

kmorozov created an issue. See original summary.

Version: 8.2.6 » 8.2.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

Version: 8.2.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Branches prior to 8.8.x are not supported, and Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented

If you were to add an access filter at that point, it would mess with the pager.

I think the more appropriate approach would be to modify the query method to filter out at that point.

darvanen’s picture

darvanen
he/him
Primary language English
Location Sydney, Australia
CreditAttribution: darvanen commented

\Drupal\Core\Entity\EntityListBuilder::getEntityIds has an access check in it.

::render uses that method to fetch the entities to pass to buildRow. I do not think there is a bug here.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Status: Active » Closed (outdated)
Issue tags: +Bug Smash Initiative

I read \Drupal\Core\Entity\EntityListBuilder to check what is said in #6.

The render method calls load which in turn calls getEntityIds. And it is that method that we find the access checking. It was added in April 2021 #3204419: EntityQuery accessCheck: always specifiy accessCheck, don't rely on the default.

I agree with #6 that there is no bug here. I am closing this as outdated. If that is wrong, reopen the issue, by setting the status to 'Active', and add a comment

Thanks