Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.See parent issue #3200985: [meta] Fix undesirable access checking on entity query usages for context and test coverage policy.
Entity type delete forms should warn about any content at risk even if deleting user lacks access.
Fixes needed:
- core/modules/node/src/Form/NodeTypeDeleteConfirm.php buildForm
- core/modules/block_content/src/Form/BlockContentTypeDeleteForm.php buildForm
- core/modules/comment/src/Form/CommentTypeDeleteForm.php buildForm
- core/modules/media/src/Form/MediaTypeDeleteConfirmForm.php buildForm
In itself this is not a critical data integrity bug. It's major because it blocks #2785449: It's too easy to write entity queries with access checks that must not have them.
Issue fork drupal-3202040
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
jonathanshawBecause this only affects a UI warning show to sitebuilders when performing a rare operation of obvious high impact, I suggest it doesn't need test coverage under our #3200985: [meta] Fix undesirable access checking on entity query usages policy despite the fact that node is one of the affected systems.
Comment #4
jonathanshawComment #5
longwaveMakes sense, also agree that issue is well scoped/self contained and I don't think we need explicit test coverage.
Comment #8
catchOpened the follow-up mentioned on the MR #3202963: Bundle delete forms should use count query when warning about existing entities.
Committed aef67cd and pushed to 9.2.x. Thanks! Cherry-picked to 9.1.x.