[backport] EntityQuery accessCheck: field ui cardinality validation should not be access sensitive [#3202440]

See parent issue #3200985: [meta] Fix undesirable access checking on entity query usages for context and test coverage policy.

Drupal's field_ui module allows sitebuilders to specify the cardinality of a field, the number of allowed values in that field on a single entity. When changing this setting to specify a reduced number of allowed values, for an entity type that has existing data, FieldStorageConfigEditForm::validateCardinality checks that there are not already entities that exceed the new number of allowed values.

This check should not be access sensitive.

Comment	File	Size	Author
#11	interdiff_8-11.txt	794 bytes	ravi.shankar
#11	3202440-11.patch	3.95 KB	ravi.shankar
#11	8.9.x: PHP 7.3 & MySQL 5.7 28,636 pass
#8	3202440-8.patch	3.94 KB	ravi.shankar
#8	8.9.x: PHP 7.3 & MySQL 5.7 28,636 pass

Issue fork drupal-3202440

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3202440-entityquery-accesscheck-field changes, plain diff MR !406
Check out this branch

About issue forks

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

9 March 2021 at 10:27

jonathanshaw created an issue. See original summary.

Comment #2

9 March 2021 at 16:33

jonathanshaw opened merge request !406

Comment #3

jonathanshaw

English

Stroud, UK

CreditAttribution: jonathanshaw commented 12 March 2021 at 18:54

Status:

Active

» Needs review

Comment #4

longwave

he/him

English

CreditAttribution: longwave at Full Fat Things commented 12 March 2021 at 22:17

Status:

Needs review

» Reviewed & tested by the community

Thanks for working on these - the fix is good and the test is great!

I was going to suggest avoiding t() in the assertRaw() call as elsewhere we are trying to remove t(), but as you're following the convention used earlier in the same test I think it's OK to add this here and then clean it all up in one go in the future.

Comment #5

15 March 2021 at 14:34

catch committed af01411 on 9.2.x

Issue #3202440 by jonathanshaw, longwave: EntityQuery accessCheck: field...

Comment #6

15 March 2021 at 14:34

catch committed 82fe153 on 9.1.x

Issue #3202440 by jonathanshaw, longwave: EntityQuery accessCheck: field...

Comment #7

catch

he/him

English

CreditAttribution: catch at Third and Grove commented 15 March 2021 at 14:35

Title:	EntityQuery accessCheck: field ui cardinality validation should not be access sensitive	» [backport] EntityQuery accessCheck: field ui cardinality validation should not be access sensitive
Version:	9.2.x-dev	» 8.9.x-dev
Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs reroll

Committed/pushed to 9.2.x and cherry-picked to 9.1.x, thanks!

This should probably go into 8.9.x too, but it needs a re-roll/rebase there.

Comment #8

ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commented 31 March 2021 at 08:33

Status:	Needs work	» Needs review
Issue tags:	-Needs reroll

File	Size
3202440-8.patch	3.94 KB
8.9.x: PHP 7.3 & MySQL 5.7 28,636 pass

Added reroll for Drupal 8.9.x.

Comment #9

jonathanshaw

English

Stroud, UK

CreditAttribution: jonathanshaw commented 31 March 2021 at 15:59

Status:

Needs review

» Reviewed & tested by the community

Comment #10

renatog

Campinas

CreditAttribution: renatog at CI&T commented 31 March 2021 at 23:06

Status:

Reviewed & tested by the community

» Needs work

This comment has more than 80 chars, please split it into a second line
// Remove the cardinality limit 4 so we can add a node the user doesn't have access to.
Example:

// Remove the cardinality limit 4 so we can add a node the user doesn't have
// access to.

Comment #11

ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commented 1 April 2021 at 04:07

Status:

Needs work

» Needs review

File	Size
3202440-11.patch	3.95 KB
8.9.x: PHP 7.3 & MySQL 5.7 28,636 pass
interdiff_8-11.txt	794 bytes

Addressed comment #10.

Comment #12

jonathanshaw

English

Stroud, UK

CreditAttribution: jonathanshaw commented 1 April 2021 at 08:40

Status:

Needs review

» Reviewed & tested by the community

Comment #13

renatog

Campinas

CreditAttribution: renatog at CI&T commented 1 April 2021 at 11:23

Thanks, really works well. +1 to it

Comment #14

2 April 2021 at 21:18

catch committed c2af52f on 8.9.x

Issue #3202440 by jonathanshaw, ravi.shankar, catch, longwave: [backport...

Comment #15

catch

he/him

English

CreditAttribution: catch at Third and Grove commented 2 April 2021 at 21:19

Status:

Reviewed & tested by the community

» Fixed

+++ b/core/modules/field_ui/tests/src/Functional/ManageFieldsFunctionalTest.php
@@ -344,6 +351,47 @@ public function cardinalitySettings() {
+
+    // Assert that you can't set the cardinality to a lower number then the
+    // highest delta of this field (including inaccessible entities) but can
+    // set it to the same.

*than the highest delta (fixed on commit).

Committed c2af52f and pushed to 8.9.x. Thanks!