Issue #1571104 by BTMash, Dave.Ingram, mradcliffe, Damien Tournoud, sun, lliss, tim.plunkett | lkiss80: Fixed Can't access non-node entities with EntityFieldQuery.

4 files changed, 95 insertions, 6 deletions

diff --git a/modules/node/node.module b/modules/node/node.module
index 71ea3b923..264816c00 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -3273,8 +3273,9 @@ function _node_query_node_access_alter($query, $type) {
     // @endcode
     //
     // So instead of directly adding to the query object, we need to collect
-    // in a separate db_and() object and then at the end add it to the query.
-    $entity_conditions = db_and();
+    // all of the node access conditions in a separate db_and() object and
+    // then add it to the query at the end.
+    $node_conditions = db_and();
   }
   foreach ($tables as $nalias => $tableinfo) {
     $table = $tableinfo['table'];
@@ -3308,16 +3309,24 @@ function _node_query_node_access_alter($query, $type) {
         $field = 'entity_id';
       }
       $subquery->where("$nalias.$field = na.nid");
-      $query->exists($subquery);
+
+      // For an entity query, attach the subquery to entity conditions.
+      if ($type == 'entity') {
+        $node_conditions->exists($subquery);
+      }
+      // Otherwise attach it to the node query itself.
+      else {
+        $query->exists($subquery);
+      }
     }
   }
 
   if ($type == 'entity' && count($subquery->conditions())) {
     // All the node access conditions are only for field values belonging to
     // nodes.
-    $entity_conditions->condition("$base_alias.entity_type", 'node');
+    $node_conditions->condition("$base_alias.entity_type", 'node');
     $or = db_or();
-    $or->condition($entity_conditions);
+    $or->condition($node_conditions);
     // If the field value belongs to a non-node entity type then this function
     // does not do anything with it.
     $or->condition("$base_alias.entity_type", 'node', '<>');
diff --git a/modules/simpletest/tests/entity_query.test b/modules/simpletest/tests/entity_query.test
index ddfd35433..7a7c6222c 100644
--- a/modules/simpletest/tests/entity_query.test
+++ b/modules/simpletest/tests/entity_query.test
@@ -20,7 +20,7 @@ class EntityFieldQueryTestCase extends DrupalWebTestCase {
   }
 
   function setUp() {
-    parent::setUp(array('field_test'));
+    parent::setUp(array('node', 'field_test', 'entity_query_access_test', 'node_access_test'));
 
     field_test_create_bundle('bundle1');
     field_test_create_bundle('bundle2');
@@ -1607,6 +1607,26 @@ class EntityFieldQueryTestCase extends DrupalWebTestCase {
   }
 
   /**
+   * Tests EntityFieldQuery access on non-node entities.
+   */
+  function testEntityFieldQueryAccess() {
+    // Test as a user with ability to bypass node access.
+    $privileged_user = $this->drupalCreateUser(array('bypass node access', 'access content'));
+    $this->drupalLogin($privileged_user);
+    $this->drupalGet('entity-query-access/test/' . $this->fields[0]['field_name']);
+    $this->assertText('Found entity', 'Returned access response with entities.');
+    $this->drupalLogout();
+
+    // Test as a user that does not have ability to bypass node access or view
+    // all nodes.
+    $regular_user = $this->drupalCreateUser(array('access content'));
+    $this->drupalLogin($regular_user);
+    $this->drupalGet('entity-query-access/test/' . $this->fields[0]['field_name']);
+    $this->assertText('Found entity', 'Returned access response with entities.');
+    $this->drupalLogout();
+  }
+
+  /**
    * Fetches the results of an EntityFieldQuery and compares.
    *
    * @param $query
diff --git a/modules/simpletest/tests/entity_query_access_test.info b/modules/simpletest/tests/entity_query_access_test.info
new file mode 100644
index 000000000..8c43dd1b2
--- /dev/null
+++ b/modules/simpletest/tests/entity_query_access_test.info
@@ -0,0 +1,6 @@
+name = "Entity query access test"
+description = "Support module for checking entity query results."
+package = Testing
+version = VERSION
+core = 7.x
+hidden = TRUE
diff --git a/modules/simpletest/tests/entity_query_access_test.module b/modules/simpletest/tests/entity_query_access_test.module
new file mode 100644
index 000000000..53641af5a
--- /dev/null
+++ b/modules/simpletest/tests/entity_query_access_test.module
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * @file
+ * Helper module for testing EntityFieldQuery access on any type of entity.
+ */
+
+/**
+ * Implements hook_menu().
+ */
+function entity_query_access_test_menu() {
+  $items['entity-query-access/test/%'] = array(
+    'title' => "Retrieve a sample of entity query access data",
+    'page callback' => 'entity_query_access_test_sample_query',
+    'page arguments' => array(2),
+    'access callback' => TRUE,
+    'type' => MENU_CALLBACK,
+  );
+
+  return $items;
+}
+
+/**
+ * Returns the results from an example EntityFieldQuery.
+ */
+function entity_query_access_test_sample_query($field_name) {
+  global $user;
+
+  // Simulate user does not have access to view all nodes.
+  $access = &drupal_static('node_access_view_all_nodes');
+  $access[$user->uid] = FALSE;
+
+  $query = new EntityFieldQuery();
+  $query
+    ->entityCondition('entity_type', 'test_entity_bundle_key')
+    ->fieldCondition($field_name, 'value', 0, '>')
+    ->entityOrderBy('entity_id', 'ASC');
+  $results = array(
+    'items' => array(),
+    'title' => t('EntityFieldQuery results'),
+  );
+  foreach ($query->execute() as $entity_type => $entity_ids) {
+    foreach ($entity_ids as $entity_id => $entity_stub) {
+      $results['items'][] = format_string('Found entity of type @entity_type with id @entity_id', array('@entity_type' => $entity_type, '@entity_id' => $entity_id));
+    }
+  }
+  if (count($results['items']) > 0) {
+    $output = theme('item_list', $results);
+  }
+  else {
+    $output = 'No results found with EntityFieldQuery.';
+  }
+  return $output;
+}