See parent issue #3200985: [meta] Fix undesirable access checking on entity query usages for context and test coverage policy. This issue is major because it blocks #2785449: It's too easy to write entity queries with access checks that must not have them.

We are moving to require accessCheck() to be called on content entity queries. There are a number of entity queries in core that currently correctly check access, but rely on the default behavior being accessCheck(TRUE). This issue changes these to explicitly specify the accessCheck.

Fixes needed:
- core/lib/Drupal/Core/Entity/EntityListBuilder.php
- core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php
- core/lib/Drupal/Core/Field/EntityReferenceFieldItemList.php
- core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php
- core/modules/comment/src/Form/CommentAdminOverview.php
- core/modules/media/src/MediaListBuilder.php
- core/modules/node/src/Controller/NodeController.php
- core/modules/path/src/PathAliasListBuilder.php
- core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php
- core/modules/taxonomy/taxonomy.tokens.inc
- core/modules/user/src/UserListBuilder.php
- core/modules/aggregator/src/Plugin/Block/AggregatorFeedBlock.php
- core/modules/comment/src/CommentManager.php getCountNewComments

Issue fork drupal-3204419

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

jonathanshaw created an issue. See original summary.

jonathanshaw’s picture

jonathanshaw
Primary language English
Location Stroud, UK
commented
Issue summary: View changes

jonathanshaw opened merge request !444

jonathanshaw’s picture

jonathanshaw
Primary language English
Location Stroud, UK
commented

I love how there's only 13 cases here where we got accessCheck(TRUE) right and 200+ in other child issues where it should be accessCheck(FALSE).

jonathanshaw’s picture

jonathanshaw
Primary language English
Location Stroud, UK
commented
Status: Active » Needs review
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs review » Reviewed & tested by the community

This is just reinforcing the existing behaviour before we enforce accessCheck(), all checks are set to TRUE so this is fine.

  • catch committed 3f057d6 on 9.2.x 
    Issue #3204419 by jonathanshaw, longwave: EntityQuery accessCheck:...

  • catch committed 3a8a2ec on 9.1.x 
    Issue #3204419 by jonathanshaw, longwave: EntityQuery accessCheck:...
catch’s picture

catch
he/him
Primary language English
commented
Version: 9.2.x-dev » 9.1.x-dev
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 9.2.x and cherry-picked to 9.1.x, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.