Skip to content

GitLab

Commit 3f057d61 authored by catch's avatar catch
Browse files

Issue #3204419 by jonathanshaw, longwave: EntityQuery accessCheck: always... 

Issue #3204419 by jonathanshaw, longwave: EntityQuery accessCheck: always specifiy accessCheck, don't rely on the default
parent 96aa5ca5
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 2 deletions
core/lib/Drupal/Core/Entity/EntityListBuilder.php
View file @ 3f057d61
...@@ -95,6 +95,7 @@ public function load() { ...@@ -95,6 +95,7 @@ public function load() {
*/ */
protected function getEntityIds() { protected function getEntityIds() {
$query = $this->getStorage()->getQuery() $query = $this->getStorage()->getQuery()
->accessCheck(TRUE)
->sort($this->entityType->getKey('id')); ->sort($this->entityType->getKey('id'));
// Only add the pager if a limit is specified. // Only add the pager if a limit is specified.
......
core/lib/Drupal/Core/Entity/Plugin/EntityReferenceSelection/DefaultSelection.php
View file @ 3f057d61
...@@ -460,6 +460,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS') ...@@ -460,6 +460,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
} }
// Add entity-access tag. // Add entity-access tag.
$query->accessCheck(TRUE);
$query->addTag($target_type . '_access'); $query->addTag($target_type . '_access');
// Add the Selection handler for system_query_entity_reference_alter(). // Add the Selection handler for system_query_entity_reference_alter().
......
core/lib/Drupal/Core/Field/EntityReferenceFieldItemList.php
View file @ 3f057d61
...@@ -73,6 +73,7 @@ public static function processDefaultValue($default_value, FieldableEntityInterf ...@@ -73,6 +73,7 @@ public static function processDefaultValue($default_value, FieldableEntityInterf
if ($uuids) { if ($uuids) {
$target_type = $definition->getSetting('target_type'); $target_type = $definition->getSetting('target_type');
$entity_ids = \Drupal::entityQuery($target_type) $entity_ids = \Drupal::entityQuery($target_type)
->accessCheck(TRUE)
->condition('uuid', $uuids, 'IN') ->condition('uuid', $uuids, 'IN')
->execute(); ->execute();
$entities = \Drupal::entityTypeManager() $entities = \Drupal::entityTypeManager()
......
core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php
View file @ 3f057d61
...@@ -136,6 +136,7 @@ public function checkNodeAccess(array $tree) { ...@@ -136,6 +136,7 @@ public function checkNodeAccess(array $tree) {
$nids = array_keys($node_links); $nids = array_keys($node_links);
$query = $this->entityTypeManager->getStorage('node')->getQuery(); $query = $this->entityTypeManager->getStorage('node')->getQuery();
$query->accessCheck(TRUE);
$query->condition('nid', $nids, 'IN'); $query->condition('nid', $nids, 'IN');
// Allows admins to view all nodes, by both disabling node_access // Allows admins to view all nodes, by both disabling node_access
......
core/modules/aggregator/src/Plugin/Block/AggregatorFeedBlock.php
View file @ 3f057d61
...@@ -129,6 +129,7 @@ public function build() { ...@@ -129,6 +129,7 @@ public function build() {
// Load the selected feed. // Load the selected feed.
if ($feed = $this->feedStorage->load($this->configuration['feed'])) { if ($feed = $this->feedStorage->load($this->configuration['feed'])) {
$result = $this->itemStorage->getQuery() $result = $this->itemStorage->getQuery()
->accessCheck(TRUE)
->condition('fid', $feed->id()) ->condition('fid', $feed->id())
->range(0, $this->configuration['block_count']) ->range(0, $this->configuration['block_count'])
->sort('timestamp', 'DESC') ->sort('timestamp', 'DESC')
......
core/modules/comment/src/CommentManager.php
View file @ 3f057d61
...@@ -220,6 +220,7 @@ public function getCountNewComments(EntityInterface $entity, $field_name = NULL, ...@@ -220,6 +220,7 @@ public function getCountNewComments(EntityInterface $entity, $field_name = NULL,
// Use the timestamp to retrieve the number of new comments. // Use the timestamp to retrieve the number of new comments.
$query = $this->entityTypeManager->getStorage('comment')->getQuery() $query = $this->entityTypeManager->getStorage('comment')->getQuery()
->accessCheck(TRUE)
->condition('entity_type', $entity->getEntityTypeId()) ->condition('entity_type', $entity->getEntityTypeId())
->condition('entity_id', $entity->id()) ->condition('entity_id', $entity->id())
->condition('created', $timestamp, '>') ->condition('created', $timestamp, '>')
......
core/modules/comment/src/Form/CommentAdminOverview.php
View file @ 3f057d61
...@@ -161,6 +161,7 @@ public function buildForm(array $form, FormStateInterface $form_state, $type = ' ...@@ -161,6 +161,7 @@ public function buildForm(array $form, FormStateInterface $form_state, $type = '
'operations' => $this->t('Operations'), 'operations' => $this->t('Operations'),
]; ];
$cids = $this->commentStorage->getQuery() $cids = $this->commentStorage->getQuery()
->accessCheck(TRUE)
->condition('status', $status) ->condition('status', $status)
->tableSort($header) ->tableSort($header)
->pager(50) ->pager(50)
......
core/modules/media/src/MediaListBuilder.php
View file @ 3f057d61
...@@ -149,6 +149,7 @@ public function buildRow(EntityInterface $entity) { ...@@ -149,6 +149,7 @@ public function buildRow(EntityInterface $entity) {
*/ */
protected function getEntityIds() { protected function getEntityIds() {
$query = $this->getStorage()->getQuery() $query = $this->getStorage()->getQuery()
->accessCheck(TRUE)
->sort('changed', 'DESC'); ->sort('changed', 'DESC');
// Only add the pager if a limit is specified. // Only add the pager if a limit is specified.
......
core/modules/node/src/Controller/NodeController.php
View file @ 3f057d61
...@@ -300,6 +300,7 @@ public function addPageTitle(NodeTypeInterface $node_type) { ...@@ -300,6 +300,7 @@ public function addPageTitle(NodeTypeInterface $node_type) {
*/ */
protected function getRevisionIds(NodeInterface $node, NodeStorageInterface $node_storage) { protected function getRevisionIds(NodeInterface $node, NodeStorageInterface $node_storage) {
$result = $node_storage->getQuery() $result = $node_storage->getQuery()
->accessCheck(TRUE)
->allRevisions() ->allRevisions()
->condition($node->getEntityType()->getKey('id'), $node->id()) ->condition($node->getEntityType()->getKey('id'), $node->id())
->sort($node->getEntityType()->getKey('revision'), 'DESC') ->sort($node->getEntityType()->getKey('revision'), 'DESC')
......
core/modules/path/src/PathAliasListBuilder.php
View file @ 3f057d61
...@@ -93,7 +93,7 @@ public static function createInstance(ContainerInterface $container, EntityTypeI ...@@ -93,7 +93,7 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
* {@inheritdoc} * {@inheritdoc}
*/ */
protected function getEntityIds() { protected function getEntityIds() {
$query = $this->getStorage()->getQuery(); $query = $this->getStorage()->getQuery()->accessCheck(TRUE);
$search = $this->currentRequest->query->get('search'); $search = $this->currentRequest->query->get('search');
if ($search) { if ($search) {
......
core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php
View file @ 3f057d61
...@@ -209,6 +209,7 @@ protected function valueForm(&$form, FormStateInterface $form_state) { ...@@ -209,6 +209,7 @@ protected function valueForm(&$form, FormStateInterface $form_state) {
else { else {
$options = []; $options = [];
$query = \Drupal::entityQuery('taxonomy_term') $query = \Drupal::entityQuery('taxonomy_term')
->accessCheck(TRUE)
// @todo Sorting on vocabulary properties - // @todo Sorting on vocabulary properties -
// https://www.drupal.org/node/1821274. // https://www.drupal.org/node/1821274.
->sort('weight') ->sort('weight')
......
core/modules/taxonomy/taxonomy.tokens.inc
View file @ 3f057d61
...@@ -178,6 +178,7 @@ function taxonomy_tokens($type, $tokens, array $data, array $options, Bubbleable ...@@ -178,6 +178,7 @@ function taxonomy_tokens($type, $tokens, array $data, array $options, Bubbleable
case 'term-count': case 'term-count':
$replacements[$original] = \Drupal::entityQuery('taxonomy_term') $replacements[$original] = \Drupal::entityQuery('taxonomy_term')
->accessCheck(TRUE)
->condition('vid', $vocabulary->id()) ->condition('vid', $vocabulary->id())
->addTag('vocabulary_term_count') ->addTag('vocabulary_term_count')
->count() ->count()
......
core/modules/user/src/UserListBuilder.php
View file @ 3f057d61
...@@ -67,6 +67,7 @@ public static function createInstance(ContainerInterface $container, EntityTypeI ...@@ -67,6 +67,7 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
*/ */
public function load() { public function load() {
$entity_query = $this->storage->getQuery(); $entity_query = $this->storage->getQuery();
$entity_query->accessCheck(TRUE);
$entity_query->condition('uid', 0, '<>'); $entity_query->condition('uid', 0, '<>');
$entity_query->pager(50); $entity_query->pager(50);
$header = $this->buildHeader(); $header = $this->buildHeader();
......
core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php
View file @ 3f057d61
...@@ -292,9 +292,12 @@ public function testCheckNodeAccess() { ...@@ -292,9 +292,12 @@ public function testCheckNodeAccess() {
$query = $this->createMock('Drupal\Core\Entity\Query\QueryInterface'); $query = $this->createMock('Drupal\Core\Entity\Query\QueryInterface');
$query->expects($this->at(0)) $query->expects($this->at(0))
->method('accessCheck')
->with(TRUE);
$query->expects($this->at(1))
->method('condition') ->method('condition')
->with('nid', [1, 2, 3, 4]); ->with('nid', [1, 2, 3, 4]);
$query->expects($this->at(1)) $query->expects($this->at(2))
->method('condition') ->method('condition')
->with('status', NodeInterface::PUBLISHED); ->with('status', NodeInterface::PUBLISHED);
$query->expects($this->once()) $query->expects($this->once())
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment