If we're using node access rules and trying to use EFQ with node entity type we have 2 different situations:

  1. No field conditions/order by (empty $query->fields). EFQ will not add 'node access' tag to the query. No node access checks by default. If we need node access, we need to explicitly call $query->addTag('node_access');
    See #860180: Entity listing and loading does not allow for node access
  2. If we are using fields in EFQ, field_sql_storage_field_storage_query() function will always add 'entity_field_access' tag with 
          $select_query->addTag('entity_field_access');
      $select_query->addMetaData('base_table', $tablename);

This causes issues when you build custom node management pages with complex filters. I was forced to use something like that:

  $query = new EntityFieldQuery();
  $query
          ->entityCondition('entity_type', 'node')
          ->entityCondition('bundle', 'facility')
          ->pager()
          ->tableSort($header);
  facility_admin_page_build_filter($query);
  // skip node_access tag if we have fields conditions
  if(empty($query->fields)) {
    $query->addTag('node_access');
  }

I think we need to force node access in EFQ as this is expecting behavior.

To bypass node access in EFQ we can use workaround described in http://drupal.stackexchange.com/questions/3927/how-to-bypass-node-access....

Comments

taran2l’s picture

taran2l
Primary language Ukrainian
Location Lviv
commented

From the code it seems like it's easier to remove code that adds entity_field_access tag from field_sql_storage_field_storage_query(), than add code to $EFQ->propertyQuery().

Pros: no node access code execution on custom entities EFQ, better performance
Cons: probably we need to add new method to EFQ which will enable node access for EFQ in question

Also, docs should be updated to reflect this change.

taran2l’s picture

taran2l
Primary language Ukrainian
Location Lviv
commented

Can I know why this issue has been unpublished?

xjm’s picture

xjm
she/her
Primary language English
commented

Presumably it's going to be handled as a security issue. References: http://drupal.org/node/101494, http://drupal.org/security-advisory-policy

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Active » Closed (duplicate)

This seems like a duplicate of another public issue that discusses the overall problem of EFQ and node access http://drupal.org/node/777578

Jackinloadup’s picture

Jackinloadup commented

Anyone coming to this issue looking for a way to bypass node_access in an EntityFieldQuery b/c it doesn't make sense in your situation see DANGEROUS_ACCESS_CHECK_OPT_OUT query tag added to EntityFieldQuery. This requires Drupal 7.15.