Problem/Motivation

The CR Access checking must be explicitly specified on content entity queries
contains the following sentence:

Until Drupal 9.2, if ::accessCheck() is not called then the query would default to checking access, i.e. behave as if ::accessCheck(TRUE) had been called.

This is misleading, because it implies that the default value changed in Drupal 9.2, which is not the case. Even in Drupal 9.2 (and later 9) the query defaults to checking access when accessCheck() is not called.

Proposed resolution

Change the wording of the CR to make it more clear that the default value didn't change. Suggested new wording for the paragraph starting with above mentioned sentence and the following paragraph:

If ::accessCheck() is not called then the query defaults to checking access, i.e. behave as if ::accessCheck(TRUE) has been called. This behavior has been the source of many bugs, as it is easy for developers to forget that this happens.

In Drupal 9.2, not calling ::accessCheck() has been deprecated, and all entity queries on content entities should always include an explicit call to ::accessCheck() prior to the query being executed. For Drupal 10 this will be enforced by throwing an exception if ::accessCheck() is not called.

Comments

FeyP created an issue. See original summary.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Needs review » Closed (outdated)
Issue tags: +Needs Review Queue Initiative

You can commit on the CR. May get better traction. I see others have already.