Additional accessCheck() calls

.travis.yml

@@ -5,23 +5,27 @@ language: php
 php:
   - '7.4'
   - '8.0'
-  - nightly
+  - '8.1'
 
 env:
   global:
     - COMPOSER_MEMORY_LIMIT=2G
   matrix:
-    - TEST_SUITE=9.3.x
-    - TEST_SUITE=9.4.x
+    - TEST_SUITE=9.5.x
+    - TEST_SUITE=10.0.x
     - TEST_SUITE=PHP_CodeSniffer
 
 # Only run the coding standards check once.
 matrix:
   exclude:
     - php: 7.4
       env: TEST_SUITE=PHP_CodeSniffer
+    - php: 7.4
+      env: TEST_SUITE=10.0.x
     - php: 8.0
       env: TEST_SUITE=PHP_CodeSniffer
+    - php: 8.0
+      env: TEST_SUITE=10.0.x
 
 mysql:
   database: og
@@ -65,7 +69,7 @@ before_script:
 
   # Install Composer dependencies for core. Skip this for the coding standards test.
   - test ${TEST_SUITE} == "PHP_CodeSniffer" || composer install --working-dir=$DRUPAL_DIR
-  
+
   # Start a web server on port 8888 in the background.
   - test ${TEST_SUITE} == "PHP_CodeSniffer" || nohup php -S localhost:8888 --docroot $DRUPAL_DIR > /dev/null 2>&1 &
 

composer.json

@@ -24,13 +24,9 @@
             "homepage": "https://www.drupal.org/u/pfrenssen"
         }
     ],
-    "require": {
-        "php": "^7.4 || ^8",
-        "drupal/core": "^9.3"
-    },
     "require-dev": {
         "drupal/coder": "^8.3.16",
-        "phpunit/phpunit": "^7 || ^8"
+        "phpunit/phpunit": "^7 || ^8 || ^9"
     },
     "minimum-stability": "RC",
     "config": {

docs/access.md

@@ -30,7 +30,7 @@ members:
 
 ```php
 <?php
-
+// phpcs:ignoreFile
 namespace Drupal\my_module\EventSubscriber;
 
 use Drupal\Core\StringTranslation\StringTranslationTrait;

og.info.yml

@@ -2,9 +2,8 @@ name: Organic Groups
 description: API to allow associating content with groups.
 package: Organic Groups
 
-core_version_requirement: ^9
+core_version_requirement: ^9 || ^10
 type: module
-php: 7.1
 
 dependencies:
   - drupal:options

og.install

@@ -33,7 +33,7 @@ function og_update_8001(&$sandbox) {
     $sandbox['#finished'] = 0;
     $sandbox['batch_size'] = 500;
     $sandbox['current'] = 0;
-    $sandbox['total'] = $storage->getQuery()->count()->execute();
+    $sandbox['total'] = $storage->getQuery()->accessCheck()->count()->execute();
 
     if (!$sandbox['total']) {
       $sandbox['#finished'] = 1;
@@ -43,6 +43,7 @@ function og_update_8001(&$sandbox) {
 
   // Update the existing memberships to include the group bundle ID.
   $membership_ids = $storage->getQuery()
+    ->accessCheck()
     ->range($sandbox['current'], $sandbox['batch_size'])
     ->sort('id')
     ->execute();

og_ui/og_ui.info.yml

@@ -3,9 +3,9 @@ description: User interface for Organic Groups.
 package: Organic Groups
 
 type: module
-core_version_requirement: ^9
+core_version_requirement: ^9 || ^10
 
 dependencies:
-  - og
+  - og:og
 
 configure: og_ui.admin_index

og_ui/src/BundleFormAlter.php

@@ -95,7 +95,7 @@ protected function prepare(array &$form, FormStateInterface $form_state) {
     // Example: article.
     $this->bundle = $this->entity->id();
     // Example: Article.
-    $this->bundleLabel = Unicode::lcfirst($this->entity->label());
+    $this->bundleLabel = Unicode::lcfirst((string) $this->entity->label());
     $this->definition = $this->entity->getEntityType();
     // Example: node.
     $this->entityTypeId = $this->definition->getBundleOf();

og_ui/tests/src/Functional/BundleFormAlterTest.php

@@ -6,10 +6,10 @@
 
 use Drupal\Core\Form\FormState;
 use Drupal\Core\StringTranslation\TranslatableMarkup;
-use Drupal\Tests\BrowserTestBase;
 use Drupal\node\Entity\NodeType;
 use Drupal\og\Og;
 use Drupal\og_ui\BundleFormAlter;
+use Drupal\Tests\BrowserTestBase;
 
 /**
  * Test making a bundle a group and a group content.
@@ -21,7 +21,7 @@ class BundleFormAlterTest extends BrowserTestBase {
   /**
    * {@inheritdoc}
    */
-  public static $modules = ['block_content', 'entity_test', 'node', 'og_ui'];
+  protected static $modules = ['block_content', 'entity_test', 'node', 'og_ui'];
 
   /**
    * {@inheritdoc}

src/Controller/OgAdminRoutesController.php

@@ -76,7 +76,7 @@ public function overview(RouteMatchInterface $route_match) {
     $content = [];
 
     $event = new OgAdminRoutesEvent();
-    $event = $this->eventDispatcher->dispatch(OgAdminRoutesEventInterface::EVENT_NAME, $event);
+    $event = $this->eventDispatcher->dispatch($event, OgAdminRoutesEventInterface::EVENT_NAME);
 
     foreach ($event->getRoutes($entity_type_id) as $name => $info) {
       $route_name = "entity.$entity_type_id.og_admin_routes.$name";

src/Controller/OgAutocompleteController.php

@@ -6,9 +6,9 @@
 
 use Drupal\Component\Utility\Crypt;
 use Drupal\Component\Utility\Tags;
-use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Entity\EntityAutocompleteMatcher;
+use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\KeyValueStore\KeyValueStoreInterface;
 use Drupal\Core\PrivateKey;
 use Drupal\Core\Site\Settings;

src/Entity/OgMembership.php

@@ -544,8 +544,8 @@ public function preSave(EntityStorageInterface $storage) {
     }
 
     // Check for an existing membership.
-    $query = \Drupal::entityQuery('og_membership');
-    $query
+    $query = \Drupal::entityQuery('og_membership')
+      ->accessCheck()
       ->condition('uid', $uid)
       ->condition('entity_id', $entity_id)
       ->condition('entity_type', $this->get('entity_type')->value);

src/Entity/OgMembershipType.php

@@ -46,8 +46,8 @@
  *     "description"
  *   },
  *   links = {
- *     "edit-form" = "/admin/structure/membership-types/manage/{membership_type}",
- *     "delete-form" = "/admin/structure/membership-types/manage/{membership_type}/delete",
+ *     "edit-form" = "/admin/structure/membership-types/manage/{og_membership_type}",
+ *     "delete-form" = "/admin/structure/membership-types/manage/{og_membership_type}/delete",
  *     "collection" = "/admin/structure/membership-types",
  *   }
  * )

src/Entity/OgRole.php

@@ -352,7 +352,16 @@ protected function ogAccess() {
    * {@inheritdoc}
    */
   public function calculateDependencies() {
+    // The parent method is checking for the existence of each role-assigned
+    // permission. But in OG this isn't mandatory. Backup the permissions before
+    // calling the parent method and avoid performing the check.
+    // @see https://www.drupal.org/node/3193348
+    // @todo Consider decoupling 'og_role' from 'role' entity config and
+    //   implementing the missing methods in 'og_role'.
+    $permissions = $this->permissions;
+    $this->permissions = [];
     parent::calculateDependencies();
+    $this->permissions = $permissions;
 
     // Create a dependency on the group bundle.
     $bundle_config_dependency = \Drupal::entityTypeManager()->getDefinition($this->getGroupType())->getBundleConfigDependency($this->getGroupBundle());

src/Entity/OgRoleListBuilder.php

@@ -78,7 +78,9 @@ public function __construct(EntityTypeInterface $entity_type, EntityStorageInter
    * {@inheritdoc}
    */
   protected function getEntityIds() {
-    $query = $this->getStorage()->getQuery()
+    $query = $this->getStorage()
+      ->getQuery()
+      ->accessCheck()
       ->condition('group_type', $this->groupType, '=')
       ->condition('group_bundle', $this->groupBundle, '=')
       ->sort($this->entityType->getKey('weight'));

src/Event/AccessEventBase.php

@@ -10,7 +10,7 @@
 use Drupal\Core\Cache\RefinableCacheableDependencyTrait;
 use Drupal\Core\Entity\ContentEntityInterface;
 use Drupal\Core\Session\AccountInterface;
-use Symfony\Component\EventDispatcher\Event;
+use Symfony\Contracts\EventDispatcher\Event;
 
 /**
  * Base class for OG access events.

src/Event/DefaultRoleEvent.php

@@ -5,7 +5,7 @@
 namespace Drupal\og\Event;
 
 use Drupal\og\Entity\OgRole;
-use Symfony\Component\EventDispatcher\Event;
+use Symfony\Contracts\EventDispatcher\Event;
 
 /**
  * Event that is fired when default roles are compiled.
@@ -97,14 +97,15 @@ public function hasRole($name) {
   /**
    * {@inheritdoc}
    */
+  #[\ReturnTypeWillChange]
   public function offsetGet($key) {
     return $this->getRole($key);
   }
 
   /**
    * {@inheritdoc}
    */
-  public function offsetSet($key, $role) {
+  public function offsetSet($key, $role): void {
     $this->validate($role);
     if ($role->getName() !== $key) {
       throw new \InvalidArgumentException('The key and the "name" property of the role should be identical.');
@@ -115,21 +116,21 @@ public function offsetSet($key, $role) {
   /**
    * {@inheritdoc}
    */
-  public function offsetUnset($key) {
+  public function offsetUnset($key): void {
     $this->deleteRole($key);
   }
 
   /**
    * {@inheritdoc}
    */
-  public function offsetExists($key) {
+  public function offsetExists($key): bool {
     return $this->hasRole($key);
   }
 
   /**
    * {@inheritdoc}
    */
-  public function getIterator() {
+  public function getIterator(): \Traversable {
     return new \ArrayIterator($this->roles);
   }
 

src/Event/GroupCreationEvent.php

@@ -4,7 +4,7 @@
 
 namespace Drupal\og\Event;
 
-use Symfony\Component\EventDispatcher\Event;
+use Symfony\Contracts\EventDispatcher\Event;
 
 /**
  * The group creation event.

src/Event/OgAdminRoutesEvent.php

@@ -6,7 +6,7 @@
 
 use Drupal\Component\Utility\NestedArray;
 use Drupal\og\OgAccess;
-use Symfony\Component\EventDispatcher\Event;
+use Symfony\Contracts\EventDispatcher\Event;
 
 /**
  * Event that is fired when OG admin routes are being compiled.

src/Event/PermissionEvent.php

@@ -6,7 +6,7 @@
 
 use Drupal\og\GroupContentOperationPermission;
 use Drupal\og\PermissionInterface;
-use Symfony\Component\EventDispatcher\Event;
+use Symfony\Contracts\EventDispatcher\Event;
 
 /**
  * Event that is fired when OG permissions are compiled.

src/EventSubscriber/OgEventSubscriber.php

@@ -280,7 +280,7 @@ protected function getDefaultEntityOperationPermissions(array $group_content_bun
 
     foreach ($group_content_bundle_ids as $group_content_entity_type_id => $bundle_ids) {
       foreach ($bundle_ids as $bundle_id) {
-        $permissions += $this->generateEntityOperationPermissionList($group_content_entity_type_id, $bundle_id);
+        $permissions = array_merge($permissions, $this->generateEntityOperationPermissionList($group_content_entity_type_id, $bundle_id));
       }
     }
 

src/GroupTypeManager.php

@@ -284,7 +284,7 @@ public function addGroup($entity_type_id, $bundle_id) {
 
     // Trigger an event upon the new group creation.
     $event = new GroupCreationEvent($entity_type_id, $bundle_id);
-    $this->eventDispatcher->dispatch(GroupCreationEventInterface::EVENT_NAME, $event);
+    $this->eventDispatcher->dispatch($event, GroupCreationEventInterface::EVENT_NAME);
 
     $this->ogRoleManager->createPerBundleRoles($entity_type_id, $bundle_id);
     $this->refreshGroupMap();

src/MembershipManager.php

@@ -113,6 +113,7 @@ public function getMemberships($user_id, array $states = [OgMembershipInterface:
       $query = $this->entityTypeManager
         ->getStorage('og_membership')
         ->getQuery()
+        ->accessCheck()
         ->condition('uid', $user_id)
         ->condition('state', $states, 'IN');
 
@@ -132,10 +133,36 @@ public function getMembership(EntityInterface $group, $user_id, array $states =
       $user_id = $user_id->id();
     }
 
-    foreach ($this->getMemberships($user_id, $states) as $membership) {
-      if ($membership->getGroupEntityType() === $group->getEntityTypeId() && $membership->getGroupId() === $group->id()) {
-        return $membership;
-      }
+    // When an empty array is passed, retrieve memberships with all possible
+    // states.
+    $states = $this->prepareConditionArray($states, OgMembership::ALL_STATES);
+
+    $cid = [
+      __METHOD__,
+      $group->getEntityTypeId(),
+      $group->id(),
+      $user_id,
+      implode('|', $states),
+    ];
+    $cid = implode(':', $cid);
+
+    // Use cached result if it exists.
+    $membership_ids = $this->staticCache->get($cid)->data ?? [];
+    if (!$membership_ids) {
+      $query = $this->entityTypeManager
+        ->getStorage('og_membership')
+        ->getQuery()
+        ->accessCheck()
+        ->condition('entity_type', $group->getEntityTypeId())
+        ->condition('entity_id', $group->id())
+        ->condition('uid', $user_id)
+        ->condition('state', $states, 'IN');
+
+      $membership_ids = $query->execute();
+      $this->cacheMembershipIds($cid, $membership_ids);
+    }
+    if ($memberships = $this->loadMemberships($membership_ids)) {
+      return reset($memberships);
     }
 
     // No membership matches the request.
@@ -185,6 +212,7 @@ public function getGroupMembershipCount(EntityInterface $group, array $states =
     $query = $this->entityTypeManager
       ->getStorage('og_membership')
       ->getQuery()
+      ->accessCheck()
       ->condition('entity_id', $group->id());
 
     if ($states) {
@@ -231,6 +259,7 @@ public function getGroupMembershipIdsByRoleNames(EntityInterface $group, array $
       $query = $this->entityTypeManager
         ->getStorage('og_membership')
         ->getQuery()
+        ->accessCheck()
         ->condition('entity_type', $entity_type_id)
         ->condition('entity_id', $group->id())
         ->condition('state', $states, 'IN');
@@ -389,6 +418,7 @@ public function getGroupContentIds(EntityInterface $entity, array $entity_types
     $query = $this->entityTypeManager
       ->getStorage('field_storage_config')
       ->getQuery()
+      ->accessCheck()
       ->condition('type', OgGroupAudienceHelperInterface::GROUP_REFERENCE);
 
     // Optionally filter group content entity types.
@@ -418,6 +448,7 @@ public function getGroupContentIds(EntityInterface $entity, array $entity_types
       $results = $this->entityTypeManager
         ->getStorage($group_content_entity_type)
         ->getQuery()
+        ->accessCheck()
         ->condition($field->getName() . '.target_id', $entity->id())
         ->execute();
 

src/OgAccess.php

@@ -323,7 +323,7 @@ public function userAccessGroupContentEntityOperation(string $operation, EntityI
       $event->addCacheContexts(['user']);
     }
 
-    $this->dispatcher->dispatch(GroupContentEntityOperationAccessEvent::EVENT_NAME, $event);
+    $this->dispatcher->dispatch($event, GroupContentEntityOperationAccessEvent::EVENT_NAME);
 
     return $event->getAccessResult();
   }