Merge pull request #454 from mglaman/entity-query-access-missing-errors

Entity query access check rule improvements

Author: mglaman

src/Type/DrupalStaticEntityQueryDynamicReturnTypeExtension.php

@@ -5,6 +5,7 @@
 use mglaman\PHPStanDrupal\Drupal\EntityDataRepository;
 use mglaman\PHPStanDrupal\Type\EntityQuery\ConfigEntityQueryType;
 use mglaman\PHPStanDrupal\Type\EntityQuery\ContentEntityQueryType;
+use mglaman\PHPStanDrupal\Type\EntityQuery\EntityQueryType;
 use mglaman\PHPStanDrupal\Type\EntityStorage\ConfigEntityStorageType;
 use mglaman\PHPStanDrupal\Type\EntityStorage\ContentEntityStorageType;
 use PhpParser\Node\Expr\StaticCall;
@@ -80,6 +81,10 @@ public function getTypeFromStaticMethodCall(
             );
         }
 
-        return $returnType;
+        return new EntityQueryType(
+            $returnType->getClassName(),
+            $returnType->getSubtractedType(),
+            $returnType->getClassReflection()
+        );
     }
 }

src/Type/EntityStorage/GetQueryReturnTypeExtension.php

@@ -7,6 +7,7 @@
 use Drupal\Core\Entity\EntityStorageInterface;
 use mglaman\PHPStanDrupal\Type\EntityQuery\ConfigEntityQueryType;
 use mglaman\PHPStanDrupal\Type\EntityQuery\ContentEntityQueryType;
+use mglaman\PHPStanDrupal\Type\EntityQuery\EntityQueryType;
 use PhpParser\Node\Expr\MethodCall;
 use PHPStan\Analyser\Scope;
 use PHPStan\Reflection\MethodReflection;
@@ -56,6 +57,10 @@ public function getTypeFromMethodCall(
                 $returnType->getClassReflection()
             );
         }
-        return $returnType;
+        return new EntityQueryType(
+            $returnType->getClassName(),
+            $returnType->getSubtractedType(),
+            $returnType->getClassReflection()
+        );
     }
 }

tests/src/Rules/EntityQueryHasAccessCheckRuleTest.php

@@ -44,5 +44,47 @@ public function cases(): \Generator
                 ],
             ],
         ];
+
+        yield 'bug-438.php' => [
+            [__DIR__ . '/data/bug-438.php'],
+            []
+        ];
+        yield 'bug-396a1.php' => [
+            [__DIR__.'/data/bug-396a1.php'],
+            [
+                [
+                    'Missing explicit access check on entity query.',
+                    27,
+                    'See https://www.drupal.org/node/3201242',
+                ]
+            ]
+        ];
+
+        // @todo 396a2 this passes when run individually, somehow.
+        /*
+        yield 'bug-396a2.php' => [
+            [__DIR__ . '/data/bug-396a2.php'],
+            []
+        ];*/
+        // @todo not chained call, return type extension has no influence.
+        /*
+        yield 'bug-396a3.php' => [
+            [__DIR__ . '/data/bug-396a3.php'],
+            []
+        ];*/
+        yield 'bug-396b.php' => [
+            [__DIR__ . '/data/bug-396b.php'],
+            []
+        ];
+        yield 'bug-396c.php' => [
+            [__DIR__ . '/data/bug-396c.php'],
+            []
+        ];
+        // @todo Try to resolve from typed property.
+        /*
+        yield 'bug-437.php' => [
+            [__DIR__ . '/data/bug-437.php'],
+            []
+        ];*/
     }
 }

tests/src/Rules/data/bug-396a1.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Bug396a;
+
+function foo() {
+    $query = \Drupal::entityQuery('user')
+        ->condition('status', 1)
+        ->condition('uid', 1, '<>')
+        ->condition('field_profile_visibility', 1)
+        ->condition('field_account_type', '', '<>')
+        ->condition('field_last_name.value', '', '<>');
+    if( isset($qparam['expertise']) && !empty($qparam['expertise']) ) {
+        $query->condition('field_field_expertise.entity.tid', $qparam['expertise']);
+    }
+    if( isset($qparam['origin']) && !empty($qparam['origin']) ) {
+        $query->condition('field_place_origin.entity:taxonomy_term.field_country_tags', $qparam['origin']);
+    }
+    if( isset($qparam['place_residence']) && !empty($qparam['place_residence']) ) {
+        $query->condition('field_place_residence.entity:taxonomy_term.field_country_tags', $qparam['place_residence']);
+    }
+    if( isset($qparam['city']) && !empty($qparam['city']) ) {
+        $query->condition('field_city', $qparam['city'], 'CONTAINS');
+    }
+    if( isset($qparam['user_type']) && !empty($qparam['user_type']) ) {
+        $query->condition('field_account_type.entity.tid', $qparam['user_type']);
+    }
+    $users = $query->execute();
+};

tests/src/Rules/data/bug-396a2.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Bug396a;
+
+function bar() {
+    $query = \Drupal::entityQuery('user')
+        ->accessCheck(FALSE)
+        ->condition('status', 1)
+        ->condition('uid', 1, '<>')
+        ->condition('field_profile_visibility', 1)
+        ->condition('field_account_type', '', '<>')
+        ->condition('field_last_name.value', '', '<>');
+    if( isset($qparam['expertise']) && !empty($qparam['expertise']) ) {
+        $query->condition('field_field_expertise.entity.tid', $qparam['expertise']);
+    }
+    if( isset($qparam['origin']) && !empty($qparam['origin']) ) {
+        $query->condition('field_place_origin.entity:taxonomy_term.field_country_tags', $qparam['origin']);
+    }
+    if( isset($qparam['place_residence']) && !empty($qparam['place_residence']) ) {
+        $query->condition('field_place_residence.entity:taxonomy_term.field_country_tags', $qparam['place_residence']);
+    }
+    if( isset($qparam['city']) && !empty($qparam['city']) ) {
+        $query->condition('field_city', $qparam['city'], 'CONTAINS');
+    }
+    if( isset($qparam['user_type']) && !empty($qparam['user_type']) ) {
+        $query->condition('field_account_type.entity.tid', $qparam['user_type']);
+    }
+    $users = $query->execute();
+};

tests/src/Rules/data/bug-396a3.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Bug396a;
+
+function baz() {
+    $query = \Drupal::entityQuery('user')
+        ->condition('status', 1)
+        ->condition('uid', 1, '<>')
+        ->condition('field_profile_visibility', 1)
+        ->condition('field_account_type', '', '<>')
+        ->condition('field_last_name.value', '', '<>');
+    if( isset($qparam['expertise']) && !empty($qparam['expertise']) ) {
+        $query->condition('field_field_expertise.entity.tid', $qparam['expertise']);
+    }
+    if( isset($qparam['origin']) && !empty($qparam['origin']) ) {
+        $query->condition('field_place_origin.entity:taxonomy_term.field_country_tags', $qparam['origin']);
+    }
+    if( isset($qparam['place_residence']) && !empty($qparam['place_residence']) ) {
+        $query->condition('field_place_residence.entity:taxonomy_term.field_country_tags', $qparam['place_residence']);
+    }
+    if( isset($qparam['city']) && !empty($qparam['city']) ) {
+        $query->condition('field_city', $qparam['city'], 'CONTAINS');
+    }
+    if( isset($qparam['user_type']) && !empty($qparam['user_type']) ) {
+        $query->condition('field_account_type.entity.tid', $qparam['user_type']);
+    }
+    $query->accessCheck(FALSE);
+    $users = $query->execute();
+};

tests/src/Rules/data/bug-396b.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Bug396b;
+
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+
+class Foo {
+    private EntityTypeManagerInterface $entityTypeManager;
+    private string $entityTypeId;
+    public function __construct(EntityTypeManagerInterface $entityTypeManager)
+    {
+        $this->entityTypeManager = $entityTypeManager;
+        $this->entityTypeId = 'node';
+    }
+    public function a(): int {
+        /** @var \Drupal\Core\Entity\TranslatableRevisionableStorageInterface|\Drupal\Core\Entity\EntityStorageInterface $storage */
+        $storage = $this->entityTypeManager->getStorage($this->entityTypeId);
+        return $storage->getQuery()->accessCheck(FALSE)->count()->execute() + 1;
+    }
+}

tests/src/Rules/data/bug-396c.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace Bug396c;
+
+use Drupal\Core\Entity\EntityStorageInterface;
+
+class EntityQueryTest {
+    private EntityStorageInterface $storage;
+    public function setUp(): void {
+        $this->storage = \Drupal::entityTypeManager()->getStorage('entity_test_mulrev');
+    }
+    public function a(): int {
+        $query = $this->storage
+            ->getQuery('OR')
+            ->accessCheck(FALSE)
+            ->exists('abcfoo', 'tr')
+            ->condition("abd.color", 'red')
+            ->sort('id');
+        $count_query = clone $query;
+        return $count_query->count()->execute();
+    }
+    public function b(): int {
+        $query = $this->storage
+            ->getQuery('OR')
+            ->accessCheck(FALSE)
+            ->exists('abcfoo', 'tr')
+            ->condition("abd.color", 'red')
+            ->sort('id');
+        return $query->count()->execute();
+    }
+}

tests/src/Rules/data/bug-437.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Bug437;
+
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Entity\Query\QueryInterface;
+
+final class Foo {
+    private QueryInterface $vocabularyQuery;
+    public function __construct(EntityTypeManagerInterface $entityTypeManager)
+    {
+        $this->vocabularyQuery = $entityTypeManager
+            ->getStorage('taxonomy_term')
+            ->getQuery()
+            ->accessCheck(TRUE);
+    }
+    public function a(): int {
+        return $this->vocabularyQuery->count()->execute();
+    }
+}

tests/src/Rules/data/bug-438.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace EntityReferenceRevisionsExample;
+
+use Drupal\Core\Entity\ContentEntityInterface;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+
+class Foo {
+    private EntityTypeManagerInterface $entityTypeManager;
+    public function __construct(EntityTypeManagerInterface $entityTypeManager)
+    {
+        $this->entityTypeManager = $entityTypeManager;
+    }
+    public function deleteUnusedRevision(ContentEntityInterface $composite_revision) {
+        $composite_storage = $this->entityTypeManager->getStorage($composite_revision->getEntityTypeId());
+
+        if ($composite_revision->isDefaultRevision()) {
+            $count = $composite_storage
+                ->getQuery()
+                ->accessCheck(FALSE)
+                ->allRevisions()
+                ->condition($composite_storage->getEntityType()->getKey('id'), $composite_revision->id())
+                ->count()
+                ->execute();
+            if ($count <= 1) {
+                $composite_revision->delete();
+                return TRUE;
+            }
+        }
+        else {
+            // Delete the revision if this is not the default one.
+            $composite_storage->deleteRevision($composite_revision->getRevisionId());
+            return TRUE;
+        }
+
+        return FALSE;
+    }
+}