Commit 17e91ba7 authored by xjm's avatar xjm

SA-CORE-2020-011 by David_Rothstein, Chi, elarlang, dokumori, kyk, xjm,...

SA-CORE-2020-011 by David_Rothstein, Chi, elarlang, dokumori, kyk, xjm, mlhess, pwolanin, stefan.r, benjy, fgm, samuel.mortenson, larowlan, pandaski
parent 487c407b
......@@ -96,6 +96,10 @@ public static function valueCallback(&$element, $input, FormStateInterface $form
foreach ($input['fids'] as $fid) {
if ($file = File::load($fid)) {
$fids[] = $file->id();
if (!$file->access('download')) {
$force_default = TRUE;
break;
}
// Temporary files that belong to other users should never be
// allowed.
if ($file->isTemporary()) {
......
......@@ -92,11 +92,10 @@ public function testPrivateFile() {
$this->drupalGet('node/' . $new_node->id() . '/edit');
$this->getSession()->getPage()->find('css', 'input[name="' . $field_name . '[0][fids]"]')->setValue($node_file->id());
$this->getSession()->getPage()->pressButton(t('Save'));
// Make sure the form submit failed - we stayed on the edit form.
$this->assertUrl('node/' . $new_node->id() . '/edit');
// Check that we got the expected constraint form error.
$constraint = new ReferenceAccessConstraint();
$this->assertRaw(new FormattableMarkup($constraint->message, ['%type' => 'file', '%id' => $node_file->id()]));
$this->assertUrl('node/' . $new_node->id());
// Make sure the submitted hidden file field is empty.
$new_node = \Drupal::entityTypeManager()->getStorage('node')->loadUnchanged($new_node->id());
$this->assertTrue($new_node->get($field_name)->isEmpty());
// Attempt to reuse the existing file when creating a new node, and confirm
// that access is still denied.
$edit = [];
......@@ -107,9 +106,10 @@ public function testPrivateFile() {
$this->getSession()->getPage()->find('css', 'input[name="' . $field_name . '[0][fids]"]')->setValue($node_file->id());
$this->getSession()->getPage()->pressButton(t('Save'));
$new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
$this->assertTrue(empty($new_node), 'Node was not created.');
$this->assertUrl('node/add/' . $type_name);
$this->assertRaw(new FormattableMarkup($constraint->message, ['%type' => 'file', '%id' => $node_file->id()]));
$this->assertUrl('node/' . $new_node->id());
// Make sure the submitted hidden file field is empty.
$new_node = \Drupal::entityTypeManager()->getStorage('node')->loadUnchanged($new_node->id());
$this->assertTrue($new_node->get($field_name)->isEmpty());
// Now make file_test_file_download() return everything.
\Drupal::state()->set('file_test.allow_all', TRUE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment