Until Drupal 9.2, if ::accessCheck() is not called then the query would default to checking access, i.e. behave as if ::accessCheck(TRUE) had been called. This behavior has been the source of many bugs, as it is easy for developers to forget that this happens.
Drupal\Core\Entity\Query\QueryException: Entity queries must explicitly set whether the query should be access checked or not. See Drupal\Core\Entity\Query\QueryInterface::accessCheck(). in Drupal\Core\Entity\Query\Sql\Query->prepare() (line 141 of core/lib/Drupal/Core/Entity/Query/Sql/Query.php).
Not calling ::accessCheck() has now been deprecated, and all entity queries on content entities should always include an explicit call to ::accessCheck() prior to the query being executed. For Drupal 10 this will be enforced by throwing an exception if ::accessCheck() is not called.
Example:
BEFORE
// This gets all articles the current user can view.
$ids = \Drupal::entityQuery('node')
->condition('type', 'article')
->execute();
// This also gets all articles the current user can view.
$ids = \Drupal::entityQuery('node')
->accessCheck(TRUE)
->condition('type', 'article')
->execute();
// This gets all articles that exist regardless of access.
$ids = \Drupal::entityQuery('node')
->accessCheck(FALSE)
->condition('type', 'article')
->execute();
AFTER
// This will trigger a deprecation error.
$ids = \Drupal::entityQuery('node')
->condition('type', 'article')
->execute();
// Unchanged: This gets all articles the current user can view.
$ids = \Drupal::entityQuery('node')
->accessCheck(TRUE)
->condition('type', 'article')
->execute();
// Unchanged: This gets all articles that exist regardless of access.
$ids = \Drupal::entityQuery('node')
->accessCheck(FALSE)
->condition('type', 'article')
->execute();
Saved you some valuable time?
Buy me a drink 🍺 to keep me motivated to create free content like this!
