Drupal security

When working with Drupal entities, many developers assume that access control “just works.” This is only partially true. Drupal does provide a robust access system — but only when you interact with entities using the Entity API.

However, if you run raw SQL queries, write custom EntityQuery logic, or misconfigure Views, you can accidentally expose sensitive content to unauthorized users.

With Drupal 11.3, the way Twig templates access object methods has received a significant upgrade. The new TwigAllowed attribute provides developers and themers with a more secure and explicit method to control which object methods can be called from Twig.

The Problem with Legacy Method Access

Before Drupal 11.3, Twig templates could automatically access certain methods of objects based on magic prefixes like get, is, and has. For example: