DataProviderEntity missing 'node_access' tag if fieldCondition or sort present

[tnightingale]

Our site-wide permissions limit access for all users to a node of a specific content-type. However we override this with OG's group-based access control (implemented with hook_node_grants, hook_node_access and family). We use restful's DataProviderNode data provider class (extends DataProviderEntity) to expose these nodes as a API resource.

For OG to grant authorization to access our content, it needs a chance to have its input on the query. This is generally provided by node_access query alteration tag.

Unfortunately DataProviderEntity doesn't add the node_access tag if a fieldCondition or field sort is present on the query. We don't have any field conditions but DataProviderEntity provides a default sort by nid if no explicit sort is provided.

This leaves us with strange behaviour in our API's resource listing results:

• an accurate total count (in our case < 200 items)
• results spread unevenly over multiple pages (page 1 has 14 results in data but page 2 has 50) even though we have set DataProviderEntity to have a range of 200 per page

As it seems to have been a deliberate decision to not add the node_access tag under these circumstances, I tried to find out why this was the case. Here is the commit which added the logic and a little bit of discussion elsewhere that seems to refer to security implications from adding the tag. However neither of these appear to clearly explain the reasoning behind this decision.

Is anyone able to provide some insight on this decision?