-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entity::access should default to FALSE #4975
Comments
Hm, that sounds like a dangerous default... api page of Entity::access. The same happens in Entity::createAccess On the other hand - changing a default value might cause trouble, too. My feeling says: let it default to NULL, but I didn't dig deeper. |
OMG, it should really default to Pinging @backdrop/core-committers |
...my personal opinion is that we should fix this, even if it turns out to "break" contrib. It will not really be a breakage rather than security hardening by default. |
I agree, this needs to be fixed. But I wanted to mention that most contrib ports from D7 that used Entity API there will/should use Eventually when |
|
@herbdool that makes sense. I think the issue stemmed from the original OP porting Registrations from D7 to Backdrop, and not realizing that they should have used |
One more thing: this is not quite true. |
@herbdool that's a dangerous assumption, because if they do not know (yet), they might shoot in their own foot. The official docs do not warn at all. @argiepiano the long-term goal of the current work on individual access() and createAccess() methods is to make entity_access() a useful and reliable function - it currently isn't, unfortunately. The downside is, that this needs work in several places. Entity::access might be one of those places. |
Not sure about this, but had the thought so posting. Tried debugging a new module Registration because anonymous was getting access that they shouldn't. Traced this to our implementation of
entity_access()
. In D7entity_access()
would check for an access callback on thehook_entity_info()
of the entity; if there was none, then I presume the default return would be NULL. But for Backdrop, our version ofentity_access()
looks for anaccess()
method on the entity. D7 ports would not have thisaccess()
method on their entities, so the method on the parent class (Entity::access()
) ends up being called.Entity::access()
just returns TRUE. So by default, seems any call toentity_access()
on a module port would return TRUE.Should we default to FALSE?
I suppose if you're porting a module you should recognize this (part of the reason to document this here, for any searchers) but in case you don't, and thought you had access covered like it was in D7, you'd end up exposing private stuff to anonymous. Maybe we should help by defaulting to preventing that.
The text was updated successfully, but these errors were encountered: