Order refresh causes leaked metadata when saving in checkout

Promotions didn’t have query access, and now they do. So they leak metadata during an order refresh. This is due to #3086409: Provide a default query_access handler for core (maybe all?) entity types adding query access to all entities.

Okay, tracking this down. That issue adds EventOnlyQueryAccessHandler.

It defines no conditions, but dispatches an event for attaching conditions

  /**
   * {@inheritdoc}
   */
  public function getConditions($operation, AccountInterface $account = NULL) {
    $account = $account ?: $this->currentUser;
    $entity_type_id = $this->entityType->id();
    $conditions = new ConditionGroup('OR');

    // Allow other modules to modify the conditions before they are used.
    $event = new QueryAccessEvent($conditions, $operation, $account, $entity_type_id);
    $this->eventDispatcher->dispatch("entity.query_access", $event);
    $this->eventDispatcher->dispatch("entity.query_access.{$entity_type_id}", $event);

    return $conditions;
  }

If we look at \Drupal\entity\QueryAccess\EntityQueryAlter::alter, it always applies cacheable metadata

    /** @var \Drupal\entity\QueryAccess\QueryAccessHandlerInterface $query_access */
    $query_access = $this->entityTypeManager->getHandler($entity_type_id, 'query_access');
    $conditions = $query_access->getConditions($query->getMetaData('op') ?: 'view');
    if ($conditions->isAlwaysFalse()) {
      $query->where('1 = 0');
    }
    elseif (count($conditions)) {
      $sql_conditions = $this->mapConditions($conditions, $query);
      $query->condition($sql_conditions);
    }

    $this->applyCacheability(CacheableMetadata::createFromObject($conditions));

So it looks like Entity API needs a fix to not bubble cacheability if there are no conditions.

Linking to an issue in Entity API

This wraps the save in a context aware renderer so we can capture and metadata.

Committed!