Problem/Motivation
In Drupal 9.2 not calling ::accessCheck()
on content entity queries is deprecated and will be enforced in Drupal 10.
See https://www.drupal.org/node/3201242
Steps to reproduce
N/A
Proposed resolution
Add ->accessCheck(TRUE)
to explicitly enable access checking on likely all of our existing content entity queries.
I could only think of one place where we might want to disable access checking:
- The UniqueBirthLogConstraintValidator
attempts to limit assets to a single birth log. But if a birth log exists and the user doesn't have access to it, the constraint would not work as intended. This might happen if a user only had access to "view own birth log".
Remaining tasks
N/A
User interface changes
N/A
API changes
N/A
Data model changes
Issue fork farm-3239929
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
paul121 CreditAttribution: paul121 commentedComment #4
m.stentaChanging this to a "Task" because it's fixing deprecated code, not a bug.
Comment #5
m.stentaI reviewed MR !30 and it looks like you hit all the uses of
getQuery()
@paul121 - nice job!Doesn't look like this is being addressed with these changes, correct? It's setting
->accessCheck(TRUE)
like all the rest. I think I agree that this should be->accessCheck(FALSE)
in this case, and that's OK because we are not displaying the log(s) in question in the constraint violation message, so it is not exposing data that the user doesn't have access to.Related to this, we use a similar query to look up the asset's birth log so that we can link to it from their birthdate field when viewing an animal asset.
https://github.com/farmOS/farmOS/blob/e6f183512c8d00a0b580ecd5e2ad16f637...
We can use
->accessCheck(TRUE)
(as you did already) here because it would basically just prevent the birthdate field from becoming a link to the log if the user doesn't have access to the log. 👍I see that you also added support for this to the
farm.log_query
service, with anaccess_check
option to disable it. I like that! We may need to think through how this is used by some of the downstream code though...For example, this service is used by the
asset.location
andgroup.location
services to determine an asset's current location and group membership. These look for the most recent logs that assign location/group to the asset. If we filter out logs that the user doesn't have access to, this could result in the asset appearing to be in a location/group that is not correct. For example, if the user doesn't have access to the most recent log, but does have access to the previous log.I think we will want to explicitly set the
access_check
toFALSE
for these, and think through how we should deal with the access implications downstream from that. Which may be just "leave it as is". I think in both of these cases (location and membership) we would still want to be able to say which location/group the asset is in, regardless of whether or not the user has access to the log that puts it there... and also maybe regardless of whether or not the user has access to that location/group asset too!Ultimately, they can't access the referenced asset itself, so I don't think there is a security concern there. Although maybe even being able to see the name of the asset is arguably a concern.
Lastly, we should document the new
access_check
option in https://github.com/farmOS/farmOS/blob/e6f183512c8d00a0b580ecd5e2ad16f637... - I can push a commit to that effect...Comment #6
m.stentaThis also raises questions about how we should treat inventory calculations (probably deserves a dedicated issue). We don't use an entity query for those, but we do query log quantities. What happens if someone doesn't have access to the logs that are being queried? Should they still be able to view the asset's inventory? 🤔
Comment #7
paul121 CreditAttribution: paul121 commentedThinking about this again.... by setting a default here we're kinda re-creating the same issue Drupal core had. Devs making entity queries without having to think about the access checking.
Maybe we *shouldn't* include this in the
farm.log_query
service at all and require users of the service to explicitly set the access checking themselves. Its more verbose, but the reason this is being deprecated anyways. What do you think @m.stenta?But +1 for disabling access checking on these! It does make sense to default to no access checking and document it like you have done.
Comment #8
m.stentaThis thought occurred to me too. It does make sense to make it an explicit decision. I think *most* of the time you'll actually want it set to
FALSE
when you're usingfarm.log_query
, because as it states in the docs (emphasis mine):... and in those "typical" cases, filtering out logs that the user doesn't have access to changes the results in undesirable ways.
So if we *did* have a default, it might actually make more sense for it to be
FALSE
- but that feels like a security hole waiting to happen too.So I agree - let's remove that from
farm.log_query
and require that it be set explicitly by anything that uses that service.I'll sketch that up in a commit real quick and push it... standby...
Comment #9
m.stentaComment #10
paul121 CreditAttribution: paul121 commentedLooks good! Removing the default from
farm.log_query
just meant we needed to update the queries inLoqQueryTest
to specify access checking. Added a commit with this.Comment #12
m.stentaMerged - thanks again for kicking this off @paul121!