fix: Fix unpredictable false positive/negative of missing entity access check in function scope due to cache key conflict #475

driskell · driskell · commit 22d9ab08499c · 2022-09-15T12:42:31.000+01:00
diff --git a/src/Type/EntityQuery/EntityQueryType.php b/src/Type/EntityQuery/EntityQueryType.php
@@ -22,4 +22,9 @@ public function withAccessCheck(): self
 
         return $type;
     }
+
+    protected function describeAdditionalCacheKey(): string
+    {
+        return $this->hasAccessCheck ? 'with-access-check' : '';
+    }
 }
diff --git a/tests/src/Rules/EntityQueryHasAccessCheckRuleTest.php b/tests/src/Rules/EntityQueryHasAccessCheckRuleTest.php
@@ -86,5 +86,15 @@ public function cases(): \Generator
             [__DIR__ . '/data/bug-437.php'],
             []
         ];*/
+
+        yield 'bug-475.php' => [
+            [__DIR__.'/data/bug-475.php'],
+            []
+        ];
+
+        yield 'bug-475b.php' => [
+            [__DIR__.'/data/bug-475b.php'],
+            []
+        ];
     }
 }
diff --git a/tests/src/Rules/data/bug-475.php b/tests/src/Rules/data/bug-475.php
@@ -0,0 +1,21 @@
+<?php
+
+/**
+ * Cache key differs outside of class so this is separate reproduction
+ *
+ * @return void
+ */
+function bug475Caching(): void
+{
+    // Here condition() return type will be cached as one that has no access check
+    \Drupal::entityQuery('node')
+        ->condition('field_test', 'foo', '=')
+        ->accessCheck(FALSE)
+        ->execute();
+
+    // Cache return on condition() will also be no access check, even though caller did, unless caller type changes cache key
+    \Drupal::entityQuery('node')
+        ->accessCheck(FALSE)
+        ->condition('field_test', 'foo', '=')
+        ->execute();
+}
diff --git a/tests/src/Rules/data/bug-475b.php b/tests/src/Rules/data/bug-475b.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace Bug475CacheKeyExample;
+
+/**
+ * Cache key differs if in class so this tests that too
+ *
+ * @return void
+ */
+class TestClass
+{
+    public function bug475Caching(): void
+    {
+        // Here condition() return type will be cached as one that has no access check
+        \Drupal::entityQuery('node')
+            ->condition('field_test', 'foo', '=')
+            ->accessCheck(FALSE)
+            ->execute();
+
+        // Cache return on condition() will also be no access check, even though caller did, unless caller type changes cache key
+        \Drupal::entityQuery('node')
+            ->accessCheck(FALSE)
+            ->condition('field_test', 'foo', '=')
+            ->execute();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -22,4 +22,9 @@ public function withAccessCheck(): self`
`22`	`22`
`23`	`23`	`return $type;`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ protected function describeAdditionalCacheKey(): string`
	`27`	`+ {`
	`28`	`+ return $this->hasAccessCheck ? 'with-access-check' : '';`
	`29`	`+ }`
`25`	`30`	`}`