EntityQuery accessCheck: bundle delete forms should warn of content at risk regardless of access
Closes #3202040
Merge request reports
Activity
65 65 */ 66 66 public function buildForm(array $form, FormStateInterface $form_state) { 67 67 $comments = $this->entityTypeManager->getStorage('comment')->getQuery() 68 ->accessCheck(FALSE) I had to look at this in context to see whether we were listing comment titles or just showing a count. We only show a count, which means this is fine. However that means this could also just be a count query instead of doing count($comments).
I don't think we should get into changing that logic here though, so will open a follow-up.
17 17 */ 18 18 public function buildForm(array $form, FormStateInterface $form_state) { 19 19 $num_nodes = $this->entityTypeManager->getStorage('node')->getQuery() 20 ->accessCheck(FALSE) So the case where this would cause an actual bug would be the following:
Someone has access to delete node types, but they don't have the bypass node access condition.
Lots of people can have bypass node access by itself, but it'd be quite rare to have field/entity UI-level access without bypass node access, so I think it's OK to be pragmatic and just fix the query in this case to unblock the wider change and actually stop serious bugs occurring.