Problem/Motivation
EntityAccessControlHandler::checkFieldAccess always returns allowed
This means that all fields are editable if the user has 'update' access to the entity.
We should document this as it could catch people out.
This was originally posted on security.drupal.org but cleared for a public issue by the security team
Steps to reproduce
Proposed resolution
Add additional documentation to \Drupal\Core\Entity\EntityAccessControlHandler::checkFieldAccess .
Although the initial proposal included \Drupal\Core\Field\FieldItemList::access , this method delegates to checkFieldAccess() and does not implement its own logic. Therefore, no changes are required there. Documenting the behavior in checkFieldAccess() is sufficient.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Issue fork drupal-3408607
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #3
akhil babuFunction definition of EntityAccessControlHandler::checkFieldAccess was updated in https://www.drupal.org/project/drupal/issues/3395404.
Some additinal checks have been added for revision log field
Comment #4
akhil babuIs this valid now? Update access is checked only for the revision log field in the new definition.
Comment #5
poker10 commentedComment #6
larowlanI think its fine to say 'With a few exceptions, most fields return access result allowed by default'
There are other exceptions in e.g. comments
Comment #7
ghost of drupal pastIs this valid now?
yes it is. Let me emphasize a part of the code you pasted above:
What needs to be documented here is you can not rely on fieldAccess alone to check whether a field is accessible by a user, it must be andIf'd with entity access.
Comment #9
akhil babuThanks @larowlan and @Ghost of Drupal Past
I have updated function documentation as per the inputs.
Comment #10
smustgrave commentedCan it be documented in the issue summary why
\Drupal\Core\Field\FieldItemList::access
does not need to be updated.
Comment #11
chhavi.sharma commentedComment #12
chhavi.sharma commentedUpdated the issue summary as suggested.
Comment #13
smustgrave commentedLeft a small comment.
Comment #14
luismagr commentedHi,
I've added a minor change in the documentation following what I understood by @smustgrave's comment. Let me know if I'm wrong.
Thanks
Comment #15
smustgrave commentedFeedback has been addressed. I did rebase the MR as it was 3200+ commits back. Couldn't figure out why the pipeline looked old lol.
Comment #19
quietone commentedI was on the fence about committing this as I think the comment could be stronger in warning about the consequences. And even an example recommended usage would be helpful. But since this change does point out the issue it is better to have this in than wait. I trust that someone will open an issue if they think the comment should be improved.
Also, wrapped to 80- columns on commit.
Committed to 11.x and 11.2.x
Thanks!