We need to implement access() methods for all fields on all entities so that we have a consistent access API and in order to not expose sensitive data to unprivileged users. Use case example: REST module needs to determine whether to show or hide a particular field when a consumer requests an entity. Who should be able to see the node status flag (published/unpublished), who should be able to retrieve user email addresses from the user entity? Who is allowed to change the node author?
This issue is major since a missing access implementation can have security implications. Individual issues fixing access() might even be critical because of access bypass vulnerabilities.
Remaining tasks
- Collect a list of fields of all core entities.
- Create issues to implement the access check for each field.
- Track the issues here.
Related Issues
(A list of related issues.)
