Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.See parent issue #3200985: [meta] Fix undesirable access checking on entity query usages for context and test coverage policy.
We intended to fix places in aggregator (outside of tests) that did not specify access checking on an entity query in #3203369: EntityQuery accessCheck: aggregator module for ones that should be FALSE and #3204419: EntityQuery accessCheck: always specifiy accessCheck, don't rely on the default for the one that should be TRUE.
However, there were quite a few cases missed by accident. This issue addresses them.
Priority is major as this blocks #2785449: It's too easy to write entity queries with access checks that must not have them.
Issue fork drupal-3207654
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #3
jonathanshawLooks like I forgot to search for uses of Drupal::entityQuery() in aggregator. I found 3.
1 in cron and 1 in postDelete are about data integrity and so should definitely be FALSE. ItemStorage::getItemCount should follow the same logic as other similar ItemStorage methods, which are controlled by ItemStorage::executeFeedItemQuery() where accessCheck is FALSE.
So all FALSE.
These are bugs, but I suggest that under the parent issue's test coverage policy it is acceptable for this not to have test coverage, because it would require unusual customisations to encounter, and it's more important to progress the blocked issue.
Comment #4
jonathanshawComment #5
andypostChecked and this only leftovers! @jonathanshaw thank you!
Comment #8
catchCommitted 2ed8c84 and pushed to 9.2.x. Thanks! Cherry-picked to 9.1.x also.