Add samples from Drupal core for entity query access

issue #396

Author: mglaman

tests/src/Rules/EntityQueryHasAccessCheckRuleTest.php

@@ -49,5 +49,23 @@ public function cases(): \Generator
             [__DIR__ . '/data/bug-438.php'],
             []
         ];
+        yield [
+            [__DIR__.'/data/bug-396a.php'],
+            [
+                [
+                    'Missing explicit access check on entity query.',
+                    27,
+                    'See https://www.drupal.org/node/3201242',
+                ]
+            ]
+        ];
+        yield [
+            [__DIR__ . '/data/bug-396b.php'],
+            []
+        ];
+        yield [
+            [__DIR__ . '/data/bug-396c.php'],
+            []
+        ];
     }
 }

tests/src/Rules/data/bug-396a.php

@@ -0,0 +1,78 @@
+<?php
+
+namespace Bug396a;
+
+function () {
+    $query = \Drupal::entityQuery('user')
+        ->condition('status', 1)
+        ->condition('uid', 1, '<>')
+        ->condition('field_profile_visibility', 1)
+        ->condition('field_account_type', '', '<>')
+        ->condition('field_last_name.value', '', '<>');
+    if( isset($qparam['expertise']) && !empty($qparam['expertise']) ) {
+        $query->condition('field_field_expertise.entity.tid', $qparam['expertise']);
+    }
+    if( isset($qparam['origin']) && !empty($qparam['origin']) ) {
+        $query->condition('field_place_origin.entity:taxonomy_term.field_country_tags', $qparam['origin']);
+    }
+    if( isset($qparam['place_residence']) && !empty($qparam['place_residence']) ) {
+        $query->condition('field_place_residence.entity:taxonomy_term.field_country_tags', $qparam['place_residence']);
+    }
+    if( isset($qparam['city']) && !empty($qparam['city']) ) {
+        $query->condition('field_city', $qparam['city'], 'CONTAINS');
+    }
+    if( isset($qparam['user_type']) && !empty($qparam['user_type']) ) {
+        $query->condition('field_account_type.entity.tid', $qparam['user_type']);
+    }
+    $users = $query->execute();
+};
+function () {
+    $query = \Drupal::entityQuery('user')
+        ->accessCheck(FALSE)
+        ->condition('status', 1)
+        ->condition('uid', 1, '<>')
+        ->condition('field_profile_visibility', 1)
+        ->condition('field_account_type', '', '<>')
+        ->condition('field_last_name.value', '', '<>');
+    if( isset($qparam['expertise']) && !empty($qparam['expertise']) ) {
+        $query->condition('field_field_expertise.entity.tid', $qparam['expertise']);
+    }
+    if( isset($qparam['origin']) && !empty($qparam['origin']) ) {
+        $query->condition('field_place_origin.entity:taxonomy_term.field_country_tags', $qparam['origin']);
+    }
+    if( isset($qparam['place_residence']) && !empty($qparam['place_residence']) ) {
+        $query->condition('field_place_residence.entity:taxonomy_term.field_country_tags', $qparam['place_residence']);
+    }
+    if( isset($qparam['city']) && !empty($qparam['city']) ) {
+        $query->condition('field_city', $qparam['city'], 'CONTAINS');
+    }
+    if( isset($qparam['user_type']) && !empty($qparam['user_type']) ) {
+        $query->condition('field_account_type.entity.tid', $qparam['user_type']);
+    }
+    $users = $query->execute();
+};
+function () {
+    $query = \Drupal::entityQuery('user')
+        ->condition('status', 1)
+        ->condition('uid', 1, '<>')
+        ->condition('field_profile_visibility', 1)
+        ->condition('field_account_type', '', '<>')
+        ->condition('field_last_name.value', '', '<>');
+    if( isset($qparam['expertise']) && !empty($qparam['expertise']) ) {
+        $query->condition('field_field_expertise.entity.tid', $qparam['expertise']);
+    }
+    if( isset($qparam['origin']) && !empty($qparam['origin']) ) {
+        $query->condition('field_place_origin.entity:taxonomy_term.field_country_tags', $qparam['origin']);
+    }
+    if( isset($qparam['place_residence']) && !empty($qparam['place_residence']) ) {
+        $query->condition('field_place_residence.entity:taxonomy_term.field_country_tags', $qparam['place_residence']);
+    }
+    if( isset($qparam['city']) && !empty($qparam['city']) ) {
+        $query->condition('field_city', $qparam['city'], 'CONTAINS');
+    }
+    if( isset($qparam['user_type']) && !empty($qparam['user_type']) ) {
+        $query->condition('field_account_type.entity.tid', $qparam['user_type']);
+    }
+    $query->accessCheck(FALSE);
+    $users = $query->execute();
+};

tests/src/Rules/data/bug-396b.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Bug396b;
+
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+
+class Foo {
+    private EntityTypeManagerInterface $entityTypeManager;
+    private string $entityTypeId;
+    public function __construct(EntityTypeManagerInterface $entityTypeManager)
+    {
+        $this->entityTypeManager = $entityTypeManager;
+        $this->entityTypeId = 'node';
+    }
+    public function a(): int {
+        /** @var \Drupal\Core\Entity\TranslatableRevisionableStorageInterface|\Drupal\Core\Entity\EntityStorageInterface $storage */
+        $storage = $this->entityTypeManager->getStorage($this->entityTypeId);
+        return $storage->getQuery()->accessCheck(FALSE)->count()->execute() + 1;
+    }
+}

tests/src/Rules/data/bug-396c.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace Bug396c;
+
+use Drupal\Core\Entity\EntityStorageInterface;
+
+class EntityQueryTest {
+    private EntityStorageInterface $storage;
+    public function setUp(): void {
+        $this->storage = \Drupal::entityTypeManager()->getStorage('entity_test_mulrev');
+    }
+    public function a(): int {
+        $query = $this->storage
+            ->getQuery('OR')
+            ->accessCheck(FALSE)
+            ->exists('abcfoo', 'tr')
+            ->condition("abd.color", 'red')
+            ->sort('id');
+        $count_query = clone $query;
+        return $count_query->count()->execute();
+    }
+    public function b(): int {
+        $query = $this->storage
+            ->getQuery('OR')
+            ->accessCheck(FALSE)
+            ->exists('abcfoo', 'tr')
+            ->condition("abd.color", 'red')
+            ->sort('id');
+        return $query->count()->execute();
+    }
+}