Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
There is no need to check access for entityQuery of user in user_is_blocked function.
Under normal circumstances, it's OK with access check. But for some reason, like if you install group module, it will alter the query by checking the current user's group permissions. Finally, it cannot find any blocked user if the blocked user belong to any group.
So it will let the blocked user login successfully and later logout him when user login Drupal.
Proposed resolution
Set access check to FALSE for entityQuery of user in user_is_blocked function
function user_is_blocked($name) {
return (bool) \Drupal::entityQuery('user')
->accessCheck(FALSE)
->condition('name', $name)
->condition('status', 0)
->execute();
}
Comment | File | Size | Author |
---|---|---|---|
#2 | 3206540-2-accessCheck-false-user-entityQuery.patch | 444 bytes | yechaozheng |
Comments
Comment #2
yechaozheng CreditAttribution: yechaozheng as a volunteer and at CI&T commentedCreate a patch for it.
Comment #3
longwaveThis is a backport of #3203366: EntityQuery accessCheck: user_is_blocked() should not be access sensitive and the patch is identical, however 8.8.x is no longer supported and this can only be committed to 8.9.x.
Comment #4
renatogIt works well. +1 to it
Comment #6
catchWe're only backporting major and critical bugs to 8.9.x now, but this is arguably major, so bumping priority.
Committed 8bdcc82 and pushed to 8.9.x. Thanks!