Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Currently the Entity Autocomplete module ignore all existing access restriction to the returned entities. This is a big security lack.
Moreover, because the Entity Autocomplete module cannot know all access related tags for all entities, the tags should be added through hook invocation, to give other modules a way to add their custom tags. Entity Autocomplete module could only handle Drupal core access control, so for comment, node, taxonomy and user entity types.
Note: this could be the way satisfy the issue #1494916: Tag the query to be able to identify it in hook_query_alter,
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | entity_autocomplete-add-access-tags-1867628-1.patch | 1.54 KB | recrit |
Comments
Comment #1
recrit CreditAttribution: recrit commentedThe attached patch adds the following query tags:
* "entity_autocomplete" for other to alter as needed
* Nodes: "node_access"
* Custom entities: $info['access arguments']['access tag'] defined in hook_entity_info()
Comment #2
recrit CreditAttribution: recrit commentedComment #3
B-Prod CreditAttribution: B-Prod commented@recrit: thanks for your patch!
But the related tests are missing. Could you write those? If not, please assign this issue to me, I will do it as soon as I can.
Comment #4
recrit CreditAttribution: recrit commented@B-Prod: the ticket is assigned to you. I do not have the time to write the tests.