When using relation_relation_exists() Node Access restrictions are automatically applied by field_sql_storage_field_storage_query() via tag entity_field_access. In my understanding though the existence of a relation should not depend on access grants for the current user.
Since relation_relation_exists() is used in relation_endpoint_field_validate() to check for existence of unique relations it seems wrong to hide existing relations through Node Access. Just like an unique key for a database table must be checked without any restrictions before adding a new key. Or a real world example: A relation to a girlfriend exists even if her parents try to deny access to her..
Currently a new relation will be created even if the relation type is unique and Node Access hides that fact from the current user.
By adding the DANGEROUS_ACCESS_CHECK_OPT_OUT tag that can be avoided, at least in Drupal 7.15 and higher.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | relation-avoid_node_access_restrictions_1833638-1.patch | 561 bytes | fuerst |
Comments
Comment #1
fuerst commentedThe attached patch is adding the tag DANGEROUS_ACCESS_CHECK_OPT_OUT to
relation_relation_exists()Comment #2
mikran commented#1: relation-avoid_node_access_restrictions_1833638-1.patch queued for re-testing.
Comment #3
mikran commentedrelation_relation_exists() should indeed return everything, somewhat related issue #1760026: self to self relation validation is broken for unique relations. Your patch is now committed.