[regression] Impossible to filter for resources with an empty relationship object in JSON:API 2.x

@blainelang, can you verify that the user has the access content permission and that your filedepot_folder nodes are published?

@blainelang, man I'm a little stumped. If you look at jsonapi.module:jsonapi_jsonapi_entity_filter_access and jsonapi_jsonapi_node_filter_access, you'll see how we're handling node permissions. That's where the bug would have to be.

Do you have the ability to use a step debugger like XDebug? If so, stepping through that logic and TemporaryQueryGuard might help identify the bug, then you could describe it better here.

If you do not, the next best thing (perhaps better actually) would be to write a regression test in JsonApiRegressionTest.php that demonstrates the bug.

If you cannot do that, finding a way to reproduce the problem with a fresh install and minimal configuration and then providing us with steps to reproduce would help immensely!

Some light speculation based on the above:

The interaction of jsonapi_jsonapi_entity_filter_access and jsonapi_jsonapi_node_filter_access could be conflicting.

E.g. the first hook returns:

JSONAPI_FILTER_AMONG_ALL => AccessResult::allowedIfHasPermission($account, $admin_permission)

and the second hook returns:

JSONAPI_FILTER_AMONG_ALL => AccessResult::forbiddenIf(!$account->hasPermission('access content')).

If the user has the admin permission but not 'access content', then when those results are orIf()'d together, the forbidden result might win.

The way to test this would be to either give your test user both administer content AND access content, or to change the result in jsonapi_jsonapi_node_filter_access for the access content case to 'neutral' instead of forbidden.

Sorry for such a long delay on this!

I've finally replicated the issue locally. I no longer believe the issue is with TemporaryQueryGuard. Everything looks fine there.

What I think actually caused this was the interplay between JSON:API filter paths now closely match JSON:API's output structure and the security issue.

Since query has the following filter:

filter[folder][condition][path]=field_parent_folder.id
filter[folder][condition][operator]=IS%20NULL

Your filter is actually saying that you want a node with an entity reference to a node whose UUID is NULL, not that the entity reference field is empty. This might technically have accidentally worked in the past because of the way that the entity query system works (iow, because of a leaky abstraction). With the introduction of the query guard, this accidental behavior ceased working. Why?

According to the filter path, you're technically trying to filter on values of a referenced node. Because of this, the query guard then adds an additional condition to ensure that you are only able to filter on published nodes. Of coure, there are no folders that both have an empty field_parent_folder field and reference a published node! Therefore, your query "correctly" returns an empty result.

What I think the bug boils down to is that your query needs to specify that you want nodes with an empty field_parent_folder relationship.

In the past, you would have been able to have a path of field_parent_folder for this, but the change record I linked to above prevents it by giving you an error message of: "Invalid nested filtering. The field `field_parent`, given in the path `field_parent` is incomplete, it must end with one of the following specifiers: `id`."

I think that message makes sense for everything except the IS NULL and IS NOT NULL operator and that those need special behavior.

Thanks for doing that research! Your analysis makes sense to me. As does your suggested solution.

I think #3021137: Ability to filter terms by "virtual" parent is related. At least conceptually, but potentially also in terms of patch.

Running into the same issue here. Is there a patch or a temporary workaround for this?

Running into the same issue here. Is there a patch or a temporary workaround for this?

Running into the same issue here. Is there a patch or a temporary workaround for this?

@koalater could you find a workaround or a solution to this, please? I'm in the same situation

Moving this to the core queue so it can get tested.

Slightly changing the logic, it seems I got it a bit wrong. Added a comment too.

Just needs a kernel test slightly updated.

@alonaoneill, please do not remove tags from issues unless you know they're incorrect. Thank you!

Also, is there a reason you set this issue back to "Needs Work"?

Hi,

I test the patch in #21, and then I filter a taxonomy term endpoint without luck.

I tried this:

• jsonapi/taxonomy_term/poi_category?filter[parent.id]=null
• jsonapi/taxonomy_term/poi_category?filter[root_filter][IS NULL][parent]=true
• jsonapi/taxonomy_term/poi_category?filter[root_filter][condition][path]=parent.id&filter[root_filter][condition][operator]=IS NULL

I'll change the issue status, but I don't know if this issue applies only to node. I'm sorry if it's not :)

I'm sorry, just now I see that the user 1 can see results to:

jsonapi/taxonomy_term/poi_category?filter[root_filter][condition][path]=parent.id&filter[root_filter][condition][operator]=IS NULL

But, I think that a user that can see an element with parent virtual must see the virtual one too... This must set this issue how "need work", I think

Just came to say that the patch in #21 seems to work fine, thank you!

filter[my-filter][condition][path]=my_reference_field&filter[my-filter][condition][operator]=IS%20NULL

I'm able to filter by parent id is 'virtual' using the following workaround:

filter[parent.0]=undefined

Is there something wrong with this method?

confirmed #21 works for me in this form
?filter[myfilter][condition][path]=myRelationship&filter[myfilter][condition][operator]=IS NULL

worth to notice that, in order to test the nullity of the relationship, i didn't use myRelationship.id as if i would check for a given value, but only myRelationship

UPDATE - WARNING
after patching, i got this error while sorting

Got error 'PHP message: ArgumentCountError: Too few arguments to function Drupal\\jsonapi\\Context\\FieldResolver::resolveInternalEntityQueryPath(), 2 passed in /home/mysite/public_html/contenta/web/core/modules/jsonapi/src/Controller/EntityResource.php on line 880 and at least 3 expected in /home/mysite/public_html/contenta/web/core/modules/jsonapi/src/Context/FieldResolver.php on line 269

I tried a temporary workaround mocking the 3rd param and seems to work again

/core/modules/jsonapi/src/Controller/EntityResource.php on line 880
Before patch
$query->range($pagination->getOffset(), $pagination->getSize() + 1);

After patch
$query->range($pagination->getOffset(), $pagination->getSize() + 1, null);

Rerolled #21 for D8.8.

D8.8 changed up the parameters for resolveInternalEntityQueryPath. With patch #31 it assumes the presence of a third parameter $operator means that it's being called with the old string parameters when it's not.

I've added an additional check to see if the first parameter is a string before making this assumption (there's probably a better way to fix it but this seems to work), and fixed the function call in Drupal\Tests\jsonapi\Kernel\Query\FilterTest.

Rerolled up to 8.9

Thanks for all the confirmations of #21 and thanks for the reroll in #33 @aleevas! I think it's safe to put this back to RTBC.

Whoops, forgot one! Thanks for the reroll in #32 @cantrellnm!

Let me clarify why I think this is RTBC:

This issue was moved to "Needs work" by @psf_ in #25 because, IIUC, he expected to see the "virtual" taxonomy term in the collection of terms once he filtered terms' parent ID with IS NULL. I think that's a separate issue, perhaps even a feature request.

Given that this issue has 23 followers, is a verified regression and is marked major, it makes sense to me that we should land the patch we have and address @psf_'s concerns, if he still has them, in a new issue.

It looks like an unrelated test failure.

Thanks for your work on this!

It looks like the patch does not apply to 9.1.x, so we need a D9 version as well here. Thanks!

Added patch for Drupal 9.1.x.

Went through the reroll, there has been no changes in logic with the reroll, so i guess it should be put back to RBTC

Thanks @bbrala!

Committed/pushed to 9.1.x, cherry-picked to 9.0.x, and committed the 8.9.x patch there too, thanks!