Issue #2878483 by dawehner, Berdir, kalpaitch: loadEntityByUuid() should skip access checks

core/lib/Drupal/Core/Entity/EntityStorageBase.php

@@ -499,6 +499,7 @@ protected function buildPropertyQuery(QueryInterface $entity_query, array $value
   public function loadByProperties(array $values = []) {
     // Build a query to fetch the entity IDs.
     $entity_query = $this->getQuery();
+    $entity_query->accessCheck(FALSE);
     $this->buildPropertyQuery($entity_query, $values);
     $result = $entity_query->execute();
     return $result ? $this->loadMultiple($result) : [];

core/modules/system/tests/modules/entity_test/entity_test.module

@@ -6,6 +6,7 @@
  */
 
 use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Database\Query\AlterableInterface;
 use Drupal\Core\Entity\ContentEntityInterface;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Entity\FieldableEntityInterface;
@@ -792,3 +793,17 @@ function entity_test_entity_test_create_access(AccountInterface $account, $conte
   // No opinion.
   return AccessResult::neutral();
 }
+
+/**
+ * Implements hook_query_entity_test_access_alter().
+ */
+function entity_test_query_entity_test_access_alter(AlterableInterface $query) {
+  if (!\Drupal::state()->get('entity_test_query_access')) {
+    return;
+  }
+
+  /** @var \Drupal\Core\Database\Query\Select|\Drupal\Core\Database\Query\AlterableInterface $query */
+  if (!\Drupal::currentUser()->hasPermission('view all entity_test_query_access entities')) {
+    $query->condition('entity_test_query_access.name', 'published entity');
+  }
+}

core/modules/system/tests/modules/entity_test/entity_test.permissions.yml

@@ -12,6 +12,8 @@ administer entity_test_with_bundle content:
   description: 'administer entity_test_with_bundle content'
 administer entity_test_bundle content:
   title: 'administer entity_test_bundle content'
+view all entity_test_query_access entities:
+  title: 'view all entity_test_query_access entities'
 
 permission_callbacks:
   - \Drupal\entity_test\EntityTestPermissions::entityTestBundlePermissions

core/tests/Drupal/KernelTests/Core/Entity/EntityLoadByUuidTest.php

+<?php
+
+namespace Drupal\KernelTests\Core\Entity;
+
+use Drupal\entity_test\Entity\EntityTest;
+use Drupal\KernelTests\KernelTestBase;
+
+/**
+ * Tests loading entities by UUID.
+ *
+ * @group entity
+ */
+class EntityLoadByUuidTest extends KernelTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = ['entity_test', 'user'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    $this->installEntitySchema('user');
+    $this->installEntitySchema('entity_test');
+  }
+
+  /**
+   * Ensures that ::loadEntityByUuid() doesn't apply access checking.
+   */
+  public function testLoadEntityByUuidAccessChecking() {
+    \Drupal::state()->set('entity_test_query_access', TRUE);
+    // Create two test entities.
+    $entity_0 = EntityTest::create([
+      'type' => 'entity_test',
+      'name' => 'published entity'
+    ]);
+    $entity_0->save();
+    $entity_1 = EntityTest::create([
+      'type' => 'entity_test',
+      'name' => 'unpublished entity'
+    ]);
+    $entity_1->save();
+
+    /** @var \Drupal\Core\Entity\EntityRepositoryInterface $repository */
+    $repository = \Drupal::service('entity.repository');
+    $this->assertEquals($entity_0->id(), $repository->loadEntityByUuid('entity_test', $entity_0->uuid())->id());
+    $this->assertEquals($entity_1->id(), $repository->loadEntityByUuid('entity_test', $entity_1->uuid())->id());
+  }
+
+}