When using relation_relation_exists() Node Access restrictions are automatically applied by field_sql_storage_field_storage_query() via tag entity_field_access. In my understanding though the existence of a relation should not depend on access grants for the current user.

Since relation_relation_exists() is used in relation_endpoint_field_validate() to check for existence of unique relations it seems wrong to hide existing relations through Node Access. Just like an unique key for a database table must be checked without any restrictions before adding a new key. Or a real world example: A relation to a girlfriend exists even if her parents try to deny access to her..

Currently a new relation will be created even if the relation type is unique and Node Access hides that fact from the current user.

By adding the DANGEROUS_ACCESS_CHECK_OPT_OUT tag that can be avoided, at least in Drupal 7.15 and higher.

Comments

fuerst’s picture

Status: Active » Needs review
StatusFileSize
new561 bytes

The attached patch is adding the tag DANGEROUS_ACCESS_CHECK_OPT_OUT to relation_relation_exists()

mikran’s picture

mikran’s picture

Status: Needs review » Fixed

relation_relation_exists() should indeed return everything, somewhat related issue #1760026: self to self relation validation is broken for unique relations. Your patch is now committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.