Fix for relying on entity queries to check access (#854)

modules/apigee_edge_teams/src/Controller/TeamAppKeysController.php

@@ -37,7 +37,10 @@ public function teamAppKeys($team, $app): JsonResponse {
     $payload = [];
     if ($team) {
       $app_storage = $this->entityTypeManager->getStorage('team_app');
+      // Lists all the team apps ids.
+      // Team app is accessible to all the team members.
       $app_ids = $app_storage->getQuery()
+        ->accessCheck(FALSE)
         ->condition('companyName', $team->id())
         ->condition('name', $app->getName())
         ->execute();

modules/apigee_edge_teams/src/Entity/Storage/TeamInvitationStorage.php

@@ -147,7 +147,7 @@ protected function invokeHook($hook, EntityInterface $entity) {
    * {@inheritdoc}
    */
   public function loadByRecipient(string $email, ?string $team_id = NULL): array {
-    $query = $this->getQuery()->condition('recipient', $email);
+    $query = $this->getQuery()->accessCheck(TRUE)->condition('recipient', $email);
 
     if ($team_id) {
       $query->condition('team', $team_id);
@@ -161,7 +161,8 @@ public function loadByRecipient(string $email, ?string $team_id = NULL): array {
    * {@inheritdoc}
    */
   public function getInvitationsToExpire(): array {
-    $query = $this->getQuery()->condition('expiry', $this->time->getCurrentTime(), '<')
+    // Team invitation is accessable as we need to update status in cron run.
+    $query = $this->getQuery()->accessCheck(FALSE)->condition('expiry', $this->time->getCurrentTime(), '<')
       ->condition('status', TeamInvitationInterface::STATUS_PENDING);
 
     $ids = $query->execute();

modules/apigee_edge_teams/src/ParamConverter/TeamAppNameConverter.php

@@ -76,7 +76,10 @@ public function convert($value, $definition, $name, array $defaults) {
     $team = is_object($defaults['team']) ? $defaults['team'] : $this->entityTypeManager->getStorage('team')->load($defaults['team']);
     if ($team) {
       $app_storage = $this->entityTypeManager->getStorage('team_app');
+      // Lists all the team apps ids.
+      // Team app is accessible to all the team members.
       $app_ids = $app_storage->getQuery()
+        ->accessCheck(FALSE)
         ->condition('companyName', $team->id())
         ->condition('name', $value)
         ->execute();

src/Controller/DeveloperAppKeysController.php

@@ -66,7 +66,10 @@ public function developerAppKeys($user, $app): JsonResponse {
     if ($user) {
       if ($developer_id = $user->get('apigee_edge_developer_id')->value) {
         $app_storage = $this->entityTypeManager->getStorage('developer_app');
+        // Lists all the developer apps ids for a particular
+        // developer email id and app name.
         $app_ids = $app_storage->getQuery()
+          ->accessCheck(FALSE)
           ->condition('developerId', $developer_id)
           ->condition('name', $app->getName())
           ->execute();

src/Entity/Storage/DeveloperAppStorage.php

@@ -106,7 +106,9 @@ protected function entityController(): EdgeEntityControllerInterface {
    * {@inheritdoc}
    */
   public function loadByDeveloper(string $developer_id): array {
-    $query = $this->getQuery();
+    // Lists all the developer apps ids for a particular
+    // developer email id and app name.
+    $query = $this->getQuery()->accessCheck(FALSE);
     // We have to figure out whether this is an email or a UUID to call the
     // best API endpoint that is possible.
     if ($this->emailValidator->isValid($developer_id)) {

src/ParamConverter/DeveloperAppNameConverter.php

@@ -79,7 +79,10 @@ public function convert($value, $definition, $name, array $defaults) {
       $developer_id = $user->get('apigee_edge_developer_id')->value;
       if ($developer_id) {
         $app_storage = $this->entityTypeManager->getStorage('developer_app');
+        // Lists all the developer apps ids for a particular
+        // developer email id and app name.
         $app_ids = $app_storage->getQuery()
+          ->accessCheck(FALSE)
           ->condition('developerId', $developer_id)
           ->condition('name', $value)
           ->execute();

tests/src/Functional/DeveloperAppUITestTrait.php

@@ -233,6 +233,7 @@ protected function assertAppCrud(?callable $beforeCreate = NULL, ?callable $afte
     $storage = \Drupal::entityTypeManager()->getStorage('developer_app');
     /** @var \Drupal\apigee_edge\Entity\DeveloperApp $app */
     $app = $storage->load(array_values($storage->getQuery()
+      ->accessCheck(TRUE)
       ->condition('developerId', $developer->uuid())
       ->condition('name', $name)
       ->execute())[0]);
@@ -348,6 +349,7 @@ protected function loadDeveloperApp(string $name, Developer $developer = NULL):
       $storage = \Drupal::entityTypeManager()->getStorage('developer_app');
       $results_ids = $storage
         ->getQuery()
+        ->accessCheck(FALSE)
         ->condition('developerId', $developer->uuid())
         ->condition('name', $name)
         ->execute();

tests/src/Functional/QueryTest.php

@@ -133,6 +133,7 @@ public function testQueries() {
    */
   protected function developerQueryTest() {
     $result = $this->developerStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', "{$this->prefix}.test", 'STARTS_WITH')
       ->condition('email', '@example.com', 'ENDS_WITH')
       ->sort('lastName')
@@ -145,6 +146,7 @@ protected function developerQueryTest() {
     ]), array_values($result));
 
     $result = $this->developerStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', "{$this->prefix}.test", 'STARTS_WITH')
       ->condition('email', '@example.com', 'ENDS_WITH')
       ->sort('email')
@@ -153,6 +155,7 @@ protected function developerQueryTest() {
     $this->assertEquals(array_values(["{$this->prefix}[email protected]"]), array_values($result));
 
     $result = $this->developerStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', "{$this->prefix}.test", 'STARTS_WITH')
       ->condition('email', '@example.com', 'ENDS_WITH')
       ->count()
@@ -177,19 +180,22 @@ protected function smartQueryTest() {
     // When primary id(s) of entities is set to something empty we should
     // get back an empty result.
     $result = $this->developerStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', NULL)
       ->count()
       ->execute();
     $this->assertEquals(0, $result);
 
     $result = $this->developerStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('developerId', NULL)
       ->count()
       ->execute();
     $this->assertEquals(0, $result);
 
     $developer = reset($this->edgeDevelopers);
     $result = $this->developerAppStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('developerId', $developer->getDeveloperId())
       ->count()
       ->execute();
@@ -199,12 +205,14 @@ protected function smartQueryTest() {
     // Edge by calling the proper API endpoint - is set to something empty
     // we should get back an empty result.
     $result = $this->developerAppStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('developerId', NULL)
       ->count()
       ->execute();
     $this->assertEquals(0, $result);
 
     $result = $this->developerAppStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', $developer->getEmail())
       ->count()
       ->execute();
@@ -214,6 +222,7 @@ protected function smartQueryTest() {
     // Edge by calling the proper API endpoint - is set to something empty
     // we should get back an empty result.
     $result = $this->developerAppStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', NULL)
       ->count()
       ->execute();
@@ -222,6 +231,7 @@ protected function smartQueryTest() {
     // If app name is set to something empty then query should not fail and
     // we should get back an empty list even if the developer has apps.
     $result = $this->developerAppStorage->getQuery()
+      ->accessCheck(FALSE)
       ->condition('email', $developer->getEmail())
       ->condition('name', NULL)
       ->count()