From aba22591c6cccc34429641b1e5f8285908a36784 Mon Sep 17 00:00:00 2001
From: Shishir <75600200+shishir-intelli@users.noreply.github.com>
Date: Wed, 1 Feb 2023 14:03:32 +0530
Subject: [PATCH] Support for entity query access check (#791)

Fix api_product entity query access issue by adding support for entity query access check
---
 src/Entity/Query/Query.php | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/Entity/Query/Query.php b/src/Entity/Query/Query.php
index d8ac26ab..50e3a983 100644
--- a/src/Entity/Query/Query.php
+++ b/src/Entity/Query/Query.php
@@ -19,6 +19,7 @@
 
 namespace Drupal\apigee_edge\Entity\Query;
 
+use Drupal\Core\Cache\CacheableMetadata;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Entity\EntityTypeInterface;
 use Drupal\Core\Entity\EntityTypeManagerInterface;
@@ -84,9 +85,40 @@ public function execute() {
     // Basically, DeveloperAppQuery already applies a condition on the returned
     // result because this function gets called.
     $all_records = $this->getFromStorage();
-    $filter = $this->condition->compile($this);
 
+    // @todo Proper entity query support that is aligned with the implementation
+    //   in \Drupal\Core\Entity\Query\Sql\Query::prepare() can be only added
+    //   if the following Entity API module issue is solved.
+    //   https://www.drupal.org/project/entity/issues/3332956
+    //   (Having a fix for a similar Group module issue is a nice to have,
+    //   https://www.drupal.org/project/group/issues/3332963.)
+    if ($this->accessCheck) {
+      // Read meta-data from query, if provided.
+      if (!$account = $this->getMetaData('account')) {
+        // @todo DI dependency.
+        $account = \Drupal::currentUser();
+      }
+      $cacheability = CacheableMetadata::createFromRenderArray([]);
+      $all_records = array_filter($all_records, static function (EntityInterface $entity) use ($cacheability, $account) {
+        // Bubble up cacheability information even from a revoked access result.
+        $result = $entity->access('view', $account, TRUE);
+        $cacheability->addCacheableDependency($result);
+        return $result->isAllowed();
+      });
+      // @todo DI dependencies.
+      /** @var \Symfony\Component\HttpFoundation\Request $request */
+      $request = \Drupal::requestStack()->getCurrentRequest();
+      $renderer = \Drupal::service('renderer');
+      if ($request->isMethodCacheable() && $renderer->hasRenderContext()) {
+        $build = [];
+        $cacheability->applyTo($build);
+        $renderer->render($build);
+      }
+    }
+
+    $filter = $this->condition->compile($this);
     $result = array_filter($all_records, $filter);
+
     if ($this->count) {
       return count($result);
     }