Commit 1c94124a authored by alexpott's avatar alexpott
Browse files

Issue #2344151 by larowlan: Comment field access doesn't work if $items isn't present

parent 4243b609
......@@ -57,8 +57,6 @@ protected function checkCreateAccess(AccountInterface $account, array $context,
* {@inheritdoc}
*/
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
/** @var \Drupal\comment\CommentInterface $entity */
$entity = $items->getEntity();
if ($operation == 'edit') {
// Only users with the "administer comments" permission can edit
// administrative fields.
......@@ -87,13 +85,22 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
if (in_array($field_definition->getName(), $read_only_fields, TRUE)) {
return AccessResult::forbidden();
}
$commented_entity = $entity->getCommentedEntity();
$anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous_contact');
// If the field is configured to accept anonymous contact details - admins
// can edit name, homepage and mail. Anonymous users can also fill in the
// fields on comment creation.
if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) {
if (!$items) {
// We cannot make a decision about access to edit these fields if we
// don't have any items and therefore cannot determine the Comment
// entity. In this case we err on the side of caution and prevent edit
// access.
return AccessResult::forbidden();
}
/** @var \Drupal\comment\CommentInterface $entity */
$entity = $items->getEntity();
$commented_entity = $entity->getCommentedEntity();
$anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous_contact');
$admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
$anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT && $account->hasPermission('post comments'))
->cachePerRole()
......@@ -105,14 +112,17 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
}
if ($operation == 'view') {
$entity = $items ? $items->getEntity() : NULL;
// Admins can view any fields except hostname, other users need both the
// "access comments" permission and for the comment to be published. The
// mail field is hidden from non-admins.
$admin_access = AccessResult::allowedIf($account->hasPermission('administer comments') && $field_definition->getName() != 'hostname')
->cachePerRole();
$anonymous_access = AccessResult::allowedIf($account->hasPermission('access comments') && $entity->isPublished() && !in_array($field_definition->getName(), array('mail', 'hostname'), TRUE))
->cacheUntilEntityChanges($entity)
$anonymous_access = AccessResult::allowedIf($account->hasPermission('access comments') && (!$entity || $entity->isPublished()) && !in_array($field_definition->getName(), array('mail', 'hostname'), TRUE))
->cachePerRole();
if ($entity) {
$anonymous_access->cacheUntilEntityChanges($entity);
}
return $admin_access->orIf($anonymous_access);
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
......
<?php
/**
* @file
* Contains \Drupal\comment\Tests\Views\CommentRestExportTest.
*/
namespace Drupal\comment\Tests\Views;
use Drupal\Component\Serialization\Json;
/**
* Tests a comment rest export view.
*
* @group comment
*/
class CommentRestExportTest extends CommentTestBase {
/**
* Views used by this test.
*
* @var array
*/
public static $testViews = ['test_comment_rest'];
/**
* {@inheritdoc}
*/
public static $modules = ['node', 'comment', 'comment_test_views', 'rest', 'hal'];
protected function setUp() {
parent::setUp();
// Add another anonymous comment.
$comment = array(
'uid' => 0,
'entity_id' => $this->nodeUserCommented->id(),
'entity_type' => 'node',
'field_name' => 'comment',
'subject' => 'A lot, apparently',
'cid' => '',
'pid' => $this->comment->id(),
'mail' => 'someone@example.com',
'name' => 'bobby tables',
'hostname' => 'public.example.com',
);
$this->comment = entity_create('comment', $comment);
$this->comment->save();
}
/**
* Test comment row.
*/
public function testCommentRestExport() {
$this->drupalGet(sprintf('node/%d/comments', $this->nodeUserCommented->id()), [], ['Accept' => 'application/hal+json']);
$this->assertResponse(200);
$contents = Json::decode($this->getRawContent());
$this->assertEqual($contents[0]['subject'], 'How much wood would a woodchuck chuck');
$this->assertEqual($contents[1]['subject'], 'A lot, apparently');
$this->assertEqual(count($contents), 2);
// Ensure field-level access is respected - user shouldn't be able to see
// mail or hostname fields.
$this->assertNoText('someone@example.com');
$this->assertNoText('public.example.com');
}
}
......@@ -79,9 +79,10 @@ protected function setUp() {
'entity_id' => $this->nodeUserCommented->id(),
'entity_type' => 'node',
'field_name' => 'comment',
'subject' => 'How much wood would a woodchuck chuck',
'cid' => '',
'pid' => '',
'node_type' => '',
'mail' => 'someone@example.com',
);
$this->comment = entity_create('comment', $comment);
$this->comment->save();
......
langcode: en
status: true
dependencies:
config:
- field.storage.comment.comment_body
module:
- comment
- node
- rest
- text
- user
id: test_comment_rest
label: 'Comments by node'
module: views
description: ''
tag: ''
base_table: comment
base_field: cid
core: 8.x
display:
default:
display_plugin: default
id: default
display_title: Master
position: 0
display_options:
access:
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }
query:
type: views_query
options:
disable_sql_rewrite: false
distinct: false
replica: false
query_comment: false
query_tags: { }
exposed_form:
type: basic
options:
submit_button: Apply
reset_button: false
reset_button_label: Reset
exposed_sorts_label: 'Sort by'
expose_sort_order: true
sort_asc_label: Asc
sort_desc_label: Desc
pager:
type: full
options:
items_per_page: 10
offset: 0
id: 0
total_pages: null
expose:
items_per_page: false
items_per_page_label: 'Items per page'
items_per_page_options: '5, 10, 25, 50'
items_per_page_options_all: false
items_per_page_options_all_label: '- All -'
offset: false
offset_label: Offset
tags:
previous: ' previous'
next: 'next ›'
first: '« first'
last: 'last »'
quantity: 9
style:
type: serializer
row:
type: fields
options:
inline: { }
separator: ''
hide_empty: false
default_field_elements: true
relationships:
node:
id: node
table: comment_field_data
field: node
required: true
plugin_id: standard
relationship: none
group_type: group
admin_label: Content
fields:
subject:
id: subject
table: comment_field_data
field: subject
relationship: none
group_type: group
entity_type: comment
entity_field: subject
admin_label: ''
label: ''
exclude: false
alter:
alter_text: false
text: ''
make_link: false
path: ''
absolute: false
external: false
replace_spaces: false
path_case: none
trim_whitespace: false
alt: ''
rel: ''
link_class: ''
prefix: ''
suffix: ''
target: ''
nl2br: false
max_length: ''
word_boundary: true
ellipsis: true
more_link: false
more_link_text: ''
more_link_path: ''
strip_tags: false
trim: false
preserve_tags: ''
html: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: false
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_empty: false
empty_zero: false
hide_alter_empty: true
link_to_comment: true
link_to_entity: false
plugin_id: comment
name:
id: name
table: comment_field_data
field: name
entity_type: comment
entity_field: name
relationship: none
group_type: group
admin_label: ''
label: ''
exclude: false
alter:
alter_text: false
text: ''
make_link: false
path: ''
absolute: false
external: false
replace_spaces: false
path_case: none
trim_whitespace: false
alt: ''
rel: ''
link_class: ''
prefix: ''
suffix: ''
target: ''
nl2br: false
max_length: ''
word_boundary: true
ellipsis: true
more_link: false
more_link_text: ''
more_link_path: ''
strip_tags: false
trim: false
preserve_tags: ''
html: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: false
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_empty: false
empty_zero: false
hide_alter_empty: true
link_to_user: false
plugin_id: comment_username
created:
id: created
table: comment_field_data
field: created
entity_type: comment
entity_field: created
relationship: none
group_type: group
admin_label: ''
label: ''
exclude: false
alter:
alter_text: false
text: ''
make_link: false
path: ''
absolute: false
external: false
replace_spaces: false
path_case: none
trim_whitespace: false
alt: ''
rel: ''
link_class: ''
prefix: ''
suffix: ''
target: ''
nl2br: false
max_length: ''
word_boundary: true
ellipsis: true
more_link: false
more_link_text: ''
more_link_path: ''
strip_tags: false
trim: false
preserve_tags: ''
html: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: false
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_empty: false
empty_zero: false
hide_alter_empty: true
date_format: long
custom_date_format: ''
timezone: ''
plugin_id: date
comment_body:
id: comment_body
table: comment__comment_body
field: comment_body
relationship: none
entity_type: comment
entity_field: comment_body
group_type: group
admin_label: ''
label: ''
exclude: false
alter:
alter_text: false
text: ''
make_link: false
path: ''
absolute: false
external: false
replace_spaces: false
path_case: none
trim_whitespace: false
alt: ''
rel: ''
link_class: ''
prefix: ''
suffix: ''
target: ''
nl2br: false
max_length: ''
word_boundary: true
ellipsis: true
more_link: false
more_link_text: ''
more_link_path: ''
strip_tags: false
trim: false
preserve_tags: ''
html: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: false
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_empty: false
empty_zero: false
hide_alter_empty: true
click_sort_column: value
type: text_default
settings: { }
group_column: value
group_columns: { }
group_rows: true
delta_limit: all
delta_offset: '0'
delta_reversed: false
delta_first_last: false
multi_type: separator
separator: ', '
field_api_classes: false
plugin_id: field
filters: { }
sorts: { }
header: { }
footer: { }
empty: { }
arguments:
nid:
id: nid
table: node
field: nid
relationship: node
group_type: group
admin_label: ''
default_action: default
exception:
value: all
title_enable: false
title: All
title_enable: false
title: ''
default_argument_type: node
default_argument_skip_url: false
summary_options:
base_path: ''
count: true
items_per_page: 25
override: false
summary:
sort_order: asc
number_of_records: 0
format: default_summary
specify_validation: false
validate:
type: none
fail: 'not found'
validate_options: { }
break_phrase: false
not: false
plugin_id: numeric
field_langcode: '***LANGUAGE_language_content***'
field_langcode_add_to_query: null
display_extenders: { }
rest_export_1:
display_plugin: rest_export
id: rest_export_1
display_title: 'REST export'
position: 1
display_options:
field_langcode: '***LANGUAGE_language_content***'
field_langcode_add_to_query: null
path: node/%node/comments
pager:
type: some
options:
items_per_page: 10
offset: 0
style:
type: serializer
options:
uses_fields: false
formats:
json: json
row:
type: data_field
options:
field_options:
subject:
alias: ''
raw_output: true
name:
alias: ''
raw_output: true
display_extenders: { }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment