Problem/Motivation

EntityAccessControlHandler::checkFieldAccess always returns allowed

This means that all fields are editable if the user has 'update' access to the entity.

We should document this as it could catch people out.

This was originally posted on security.drupal.org but cleared for a public issue by the security team

Steps to reproduce

Proposed resolution

Add additional documentation to \Drupal\Core\Entity\EntityAccessControlHandler::checkFieldAccess .
Although the initial proposal included \Drupal\Core\Field\FieldItemList::access , this method delegates to checkFieldAccess() and does not implement its own logic. Therefore, no changes are required there. Documenting the behavior in checkFieldAccess() is sufficient.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Issue fork drupal-3408607

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

larowlan created an issue. See original summary.

Akhil Babu made their first commit to this issue’s fork.

akhil babu’s picture

Function definition of EntityAccessControlHandler::checkFieldAccess was updated in https://www.drupal.org/project/drupal/issues/3395404.

Some additinal checks have been added for revision log field

akhil babu’s picture

This means that all fields are editable if the user has 'update' access to the entity.

Is this valid now? Update access is checked only for the revision log field in the new definition.

  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
    if (!$items instanceof FieldItemListInterface || $operation !== 'view') {
      return AccessResult::allowed();
    }
    $entity = $items->getEntity();
    $isRevisionLogField = $this->entityType instanceof ContentEntityTypeInterface && $field_definition->getName() === $this->entityType->getRevisionMetadataKey('revision_log_message');
    if ($entity && $isRevisionLogField) {
      // The revision log should only be visible to those who can view the
      // revisions OR edit the entity.
      return $entity->access('view revision', $account, TRUE)
        ->orIf($entity->access('update', $account, TRUE));
    }
    return AccessResult::allowed();
  }

poker10’s picture

Title: Document that EntityAccessControlHandler::checkFieldAccess returns AccessResultAllowedByDefault » Document that EntityAccessControlHandler::checkFieldAccess returns AccessResultAllowed by default
larowlan’s picture

I think its fine to say 'With a few exceptions, most fields return access result allowed by default'

There are other exceptions in e.g. comments

ghost of drupal past’s picture

Is this valid now?

yes it is. Let me emphasize a part of the code you pasted above:

    if ($operation !== 'view') {
      return AccessResult::allowed();
    }

What needs to be documented here is you can not rely on fieldAccess alone to check whether a field is accessible by a user, it must be andIf'd with entity access.

akhil babu’s picture

Status: Active » Needs review
Issue tags: -Needs issue summary update

Thanks @larowlan and @Ghost of Drupal Past

I have updated function documentation as per the inputs.

smustgrave’s picture

Status: Needs review » Needs work

Can it be documented in the issue summary why

\Drupal\Core\Field\FieldItemList::access

does not need to be updated.

chhavi.sharma’s picture

Issue summary: View changes
chhavi.sharma’s picture

Status: Needs work » Needs review

Updated the issue summary as suggested.

smustgrave’s picture

Status: Needs review » Needs work

Left a small comment.

luismagr’s picture

Status: Needs work » Needs review

Hi,

I've added a minor change in the documentation following what I understood by @smustgrave's comment. Let me know if I'm wrong.

Thanks

smustgrave’s picture

Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

Feedback has been addressed. I did rebase the MR as it was 3200+ commits back. Couldn't figure out why the pipeline looked old lol.

  • quietone committed bef8dbcc on 11.2.x
    Issue #3408607 by larowlan, poker10, smustgrave, akhil babu, ghost of...

  • quietone committed 0e19e4f6 on 11.x
    Issue #3408607 by larowlan, poker10, smustgrave, akhil babu, ghost of...

quietone’s picture

Version: 11.x-dev » 11.2.x-dev
Status: Reviewed & tested by the community » Fixed

I was on the fence about committing this as I think the comment could be stronger in warning about the consequences. And even an example recommended usage would be helpful. But since this change does point out the issue it is better to have this in than wait. I trust that someone will open an issue if they think the comment should be improved.

Also, wrapped to 80- columns on commit.

Committed to 11.x and 11.2.x

Thanks!

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.