From d150335eb10c7805f0987472cab868b6ff2d2ff8 Mon Sep 17 00:00:00 2001
From: Adam Bramley <adam.bramley@previousnext.com.au>
Date: Wed, 2 Oct 2024 16:13:05 +1000
Subject: [PATCH] Fixes

---
 src/Controller/NodeRevisionController.php   | 8 ++++++++
 src/Controller/PluginRevisionController.php | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/Controller/NodeRevisionController.php b/src/Controller/NodeRevisionController.php
index aed231c..b74d840 100644
--- a/src/Controller/NodeRevisionController.php
+++ b/src/Controller/NodeRevisionController.php
@@ -3,6 +3,8 @@
 namespace Drupal\diff\Controller;
 
 use Drupal\node\NodeInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
  * Returns responses for Node Revision routes.
@@ -22,6 +24,9 @@ class NodeRevisionController extends PluginRevisionController {
    *   Render array containing the revisions table for $node.
    */
   public function revisionOverview(NodeInterface $node) {
+    if (!$node->access('view')) {
+      throw new AccessDeniedHttpException();
+    }
     return $this->formBuilder()->getForm('Drupal\diff\Form\RevisionOverviewForm', $node);
   }
 
@@ -43,6 +48,9 @@ class NodeRevisionController extends PluginRevisionController {
    *   Table showing the diff between the two node revisions.
    */
   public function compareNodeRevisions(NodeInterface $node, $left_revision, $right_revision, $filter) {
+    if (!$node->access('view')) {
+      throw new AccessDeniedHttpException();
+    }
     $storage = $this->entityTypeManager()->getStorage('node');
     $route_match = \Drupal::routeMatch();
     $left_revision = $storage->loadRevision($left_revision);
diff --git a/src/Controller/PluginRevisionController.php b/src/Controller/PluginRevisionController.php
index c6148ff..b266591 100644
--- a/src/Controller/PluginRevisionController.php
+++ b/src/Controller/PluginRevisionController.php
@@ -13,6 +13,8 @@ use Drupal\diff\DiffEntityComparison;
 use Drupal\diff\DiffLayoutManager;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
  * Base class for controllers that return responses on entity revision routes.
@@ -142,6 +144,12 @@ class PluginRevisionController extends ControllerBase {
         $revisions_ids[] = $revision_id;
       }
     }
+    if ($entity->id() !== $left_revision->id() || $entity->id() !== $right_revision->id()) {
+      throw new NotFoundHttpException();
+    }
+    if (!$right_revision->access('view') || !$left_revision->access('view')) {
+      throw new AccessDeniedHttpException();
+    }
 
     $build = [
       '#title' => $this->t('Changes to %title', ['%title' => $entity->label()]),
-- 
GitLab