See parent issue #3200985: [meta] Fix undesirable access checking on entity query usages for context.
When cleaning up data consequent on field, entity type or module removal, we should not care whether the curreny user can access the data. We should trust that access was properly checked for the field, entity type or module removal itself.
Fixes needed:
- core/modules/shortcut/src/Entity/ShortcutSet.php preDelete
- core/modules/system/src/Form/PrepareModulesEntityUninstallForm.php all in file, we are uninstalling which means deleting everything
- core/modules/node/node.module case 'user_cancel_block_unpublish' we want to unpublish everything the user owns
- core/modules/user/user.api.php hook_user_cancel
- core/modules/comment/comment.module comment_field_config_delete and comment_entity_predelete
Issue fork drupal-3201714
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #3
jonathanshawI cannot find any test coverage for PrepareModulesEntityUninstallForm or the ContentUninstallValidator that calls it. This one could be affected by node_access, but I'm not sure it really matters. To suffer from the bug you'd need to
(a) have a node acess module installed
(b) not be using drush to manage module uninstallation
(c) want to uninstall node
(d) be someone with permission to uninstall node but not to view all your nodes
(e) fail to realise that uninstalling node will remove all your site's nodes
I suggest not requiring test coverage for this fix.
Comment #4
catchDoesn't drush run with the anonymous user though? So if the anonymous user doesn't have access to view nodes it would be affected?
Comment #5
jonathanshawDrush doesn't warn you about content that might be deleted when uninstalling a module, AFAIK. And if it does, it wouldn't be using a form or class or batch job like PrepareModulesEntityUninstallForm to do it (I'd expect).
Comment #6
moshe weitzman CreditAttribution: moshe weitzman as a volunteer commentedDrush doesn’t have special messages or special code here. We call Drupal's validation and then uninstall methods. Patch makes sense to me.
Comment #7
jonathanshawLooking at the code, Drush calls ModuleHandler::uninstall which ultimately will call ContentUninstallValidator. However, this will not trigger PrepareModulesEntityUninstallForm, it simply provides an optional link to it:
ContentUninstallValidator:
There are therefore basically 2 possible impacts of a bug in PrepareModulesEntityUninstallForm that someone using the form to remove content might find:
- (1) not all content being removed, despite apparent success of the batch job, so module will persist in being uninstallable
- (2) being given an underestimate of the number of content items there are to remove
Comment #8
jonathanshawThe test-only commit failed, and so now I've restored the fix. This is ready for RTBC.
Comment #9
jonathanshawFixed the hook_user_cancel docs in this issue too.
Comment #10
longwaveOne style nit but otherwise this looks good to go.
Comment #12
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedI have changed the variable name as suggested, please review.
Comment #13
longwaveThanks!
Comment #14
alexpottThe content entity impact on uninstalling is tested in \Drupal\Tests\system\Functional\Module\PrepareUninstallTest
I also left a review on the merge request.
Comment #15
jonathanshawThanks a lot for finding that @alexpott, I had missed it and it made things easy.
Comment #16
longwaveSeems like the latter part of the test should need updating:
Only 5 should be listed here now, I think - let's see what the bot says.
Comment #17
jonathanshaw#16 was right.
Comment #18
longwaveThe test fix wasn't quite right.
Comment #19
jonathanshawComment #20
longwaveAll review points were addressed, the test is now quite comprehensive I think.
Comment #23
catchCommitted 37a5b1a and pushed to 9.2.x. Thanks! Cherry-picked to 9.1.x too.