From c490d4cac00a8b42729e29795e82b95208b324f0 Mon Sep 17 00:00:00 2001
From: Lauri Eskola <lauri.eskola@acquia.com>
Date: Tue, 14 Feb 2023 09:39:58 +0200
Subject: [PATCH] Issue #3331947 by idebr, Lendude, xjm: Accountform is missing
 an entity field access check for 'mail'

---
 core/modules/user/src/AccountForm.php                |  1 +
 .../modules/user_access_test/user_access_test.module |  6 ++++++
 .../user/tests/src/Functional/UserEditTest.php       | 12 ++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 1f6d36bc2a54..263ec3bfc4a9 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -99,6 +99,7 @@ public function form(array $form, FormStateInterface $form_state) {
       '#description' => $this->t('The email address is not made public. It will only be used if you need to be contacted about your account or for opted-in notifications.'),
       '#required' => !(!$account->getEmail() && $user->hasPermission('administer users')),
       '#default_value' => (!$register ? $account->getEmail() : ''),
+      '#access' => $account->mail->access('edit'),
     ];
 
     // Only show name field on registration form or user can change own username.
diff --git a/core/modules/user/tests/modules/user_access_test/user_access_test.module b/core/modules/user/tests/modules/user_access_test/user_access_test.module
index a5cdb4b3f5b1..4bb79a368ea5 100644
--- a/core/modules/user/tests/modules/user_access_test/user_access_test.module
+++ b/core/modules/user/tests/modules/user_access_test/user_access_test.module
@@ -56,5 +56,11 @@ function user_access_test_entity_field_access($operation, FieldDefinitionInterfa
     }
   }
 
+  if (\Drupal::state()->get('user_access_test_forbid_mail_edit', FALSE)) {
+    if ($operation === 'edit' && $items && $items->getEntity()->getEntityTypeId() === 'user' && $field_definition->getName() === 'mail') {
+      return AccessResult::forbidden();
+    }
+  }
+
   return AccessResult::neutral();
 }
diff --git a/core/modules/user/tests/src/Functional/UserEditTest.php b/core/modules/user/tests/src/Functional/UserEditTest.php
index 11533bfb2d89..0db8950783da 100644
--- a/core/modules/user/tests/src/Functional/UserEditTest.php
+++ b/core/modules/user/tests/src/Functional/UserEditTest.php
@@ -245,4 +245,16 @@ public function testUserChangeSiteLanguage() {
     $this->assertSession()->statusCodeEquals(200);
   }
 
+  /**
+   * Tests the account form implements entity field access for mail.
+   */
+  public function testUserMailFieldAccess() {
+    \Drupal::state()->set('user_access_test_forbid_mail_edit', TRUE);
+    \Drupal::service('module_installer')->install(['user_access_test']);
+    $user = $this->drupalCreateUser();
+    $this->drupalLogin($user);
+    $this->drupalGet("user/" . $user->id() . "/edit");
+    $this->assertFalse($this->getSession()->getPage()->hasField('mail'));
+  }
+
 }
-- 
GitLab