Require explicit use of accessCheck() on the result of farm.log_query service.

2021-10-01 12:44:07 -04:00 · 2021-10-01 12:44:07 -04:00 · 2ebeef595e
parent e22bf3e576
commit 2ebeef595e
4 changed files with 15 additions and 9 deletions
--- a/docs/development/module/services.md
+++ b/docs/development/module/services.md
@ -115,6 +115,16 @@ The log query service is a helper service for building a standard log database
 query. This is primarily used to query for the "latest" log of an asset.
 The asset location and group membership services use this.

+Note that you must set specify whether or not you want access checking to be
+performed on the queried logs by running the `accessCheck()` method on the
+query object that is returned. This will determine whether or not logs that
+the current user does not have access to will be filtered out. If you are
+trying to find the "latest" log of an asset for a particular purpose, filtering
+out logs can cause inconsistent results, so typically `accessCheck(FALSE)` is
+necessary. It is the responsibility of the code that uses this service to
+understand the security implications of the data this returns, and perform
+additional access checking if necessary.
+
 **Methods**:

 `getQuery($options)` - Builds a log database query.
@ -129,9 +139,6 @@ It accepts a keyed array of options:
 - `status` (string) - Filter by log status.
 - `asset` (asset entity) - Filter to logs that reference a particular asset.
 - `limit` (int) - Only include this many results.
- `access_check` (bool) - Whether or not to check user access to logs returned
-  by the query (defaults to `TRUE`, do not set to `FALSE` unless you understand
-  the security implications for your use-case).

 **Example usage**:

@ -145,6 +152,7 @@ $options = [
 ];
 $query = \Drupal::service('farm.log_query')->getQuery($options);
 $query->condition('is_movement', TRUE);
+$query->accessCheck(FALSE);
 $log_ids = $query->execute();

 // Load the first log.
--- a/modules/asset/group/src/GroupMembership.php
+++ b/modules/asset/group/src/GroupMembership.php
@ -114,15 +114,16 @@ class GroupMembership implements GroupMembershipInterface {
    }

    // Query for group assignment logs that reference the asset.
+    // We do not check access on the logs to ensure that none are filtered out.
    $options = [
      'asset' => $asset,
      'timestamp' => $this->time->getRequestTime(),
      'status' => 'done',
      'limit' => 1,
-      'access_check' => FALSE,
    ];
    $query = $this->logQueryFactory->getQuery($options);
    $query->condition('is_group_assignment', TRUE);
+    $query->accessCheck(FALSE);
    $log_ids = $query->execute();

    // Bail if no logs are found.
--- a/modules/core/location/src/AssetLocation.php
+++ b/modules/core/location/src/AssetLocation.php
@ -187,15 +187,16 @@ class AssetLocation implements AssetLocationInterface {
    }

    // Query for movement logs that reference the asset.
+    // We do not check access on the logs to ensure that none are filtered out.
    $options = [
      'asset' => $asset,
      'timestamp' => $this->time->getRequestTime(),
      'status' => 'done',
      'limit' => 1,
-      'access_check' => FALSE,
    ];
    $query = $this->logQueryFactory->getQuery($options);
    $query->condition('is_movement', TRUE);
+    $query->accessCheck(FALSE);
    $log_ids = $query->execute();

    // Bail if no logs are found.
--- a/modules/core/log/src/LogQueryFactory.php
+++ b/modules/core/log/src/LogQueryFactory.php
@ -48,10 +48,6 @@ class LogQueryFactory implements LogQueryFactoryInterface {
    // Add a tag.
    $query->addTag('farm.log_query');

-    // Specify access check. By default, only limit to logs the user can view.
-    $access_check = $options['access_check'] ?? TRUE;
-    $query->accessCheck($access_check);
-
    // If a type is specified, only include logs of that type.
    if (isset($options['type'])) {
      $query->condition('type', $options['type']);