The relationships provided by Services Entity Reference don't check for access at all.

There is this comment in the access callback for the resource:

  public function access($op, $args) {
    if ($op == 'index') {
      // Access is handled at the query level.
      return TRUE;
    }

Does this mean it's up to entity modules to alter the EntityFieldQuery with hook_entity_query_alter()? That doesn't seem to be very good DX to me (certainly doesn't gel well with my project), as it means that an entity type module needs to implement two ways in to access rather than one.

Hence I would suggest that we add a call to entity_access() in the index() method. We have loaded entities anyway by this point; the performance overhead depends entirely on what the entity type's access callback is doing.

Comments

joachim’s picture

Status: Active » Needs review
StatusFileSize
new3.4 KB
joachim’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.