Skip to content
Snippets Groups Projects
Verified Commit 1dc26aef authored by Jess's avatar Jess
Browse files

SA-CORE-2023-001 by danflanagan8, larowlan, xjm, seanB, Berdir, benjifisher,... 

SA-CORE-2023-001 by danflanagan8, larowlan, xjm, seanB, Berdir, benjifisher, longwave, jenlampton, lauriii

(cherry picked from commit 147e3d5bb3d74cbe32c6498f792265f8f71406eb)
parent 749ee8a8
No related branches found
No related tags found
32 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4289Issue #1344552 by marcingy, Niklas Fiekas, Ravi.J, aleevas, Eduardo Morales...,!4114Issue #2707291: Disable body-level scrolling when a dialog is open as a modal,!4100Issue #3249600: Add support for PHP 8.1 Enums as allowed values for list_* data types,!3630Issue #2815301 by Chi, DanielVeza, kostyashupenko, smustgrave: Allow to create...,!3600Issue #3344629: Passing null to parameter #1 ($haystack) of type string is deprecated,!3291Issue #3336463: Rewrite rules for gzipped CSS and JavaScript aggregates never match,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2074Issue #2707689: NodeForm::actions() checks for delete access on new entities,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1484Exposed filters get values from URL when Ajax is on,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1162Issue #3100350: Unable to save '/' root path alias,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!957Added throwing of InvalidPluginDefinitionException from getDefinition().,!925Issue #2339235: Remove taxonomy hard dependency on node module,!877Issue #2708101: Default value for link text is not saved,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links,!844Resolve #3036010 "Updaters",!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer
Hide whitespace changes
Inline Side-by-side
core/modules/media_library/src/Plugin/Field/FieldWidget/MediaLibraryWidget.php
+ 20
7
View file @ 1dc26aef
......@@ -2,6 +2,7 @@
namespace Drupal\media_library\Plugin\Field\FieldWidget;
use Drupal\Component\Render\FormattableMarkup;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\SortArray;
use Drupal\Core\Ajax\AjaxResponse;
......@@ -391,6 +392,20 @@ public function formElement(FieldItemListInterface $items, $delta, array $elemen
];
foreach ($referenced_entities as $delta => $media_item) {
if ($media_item->access('view')) {
// @todo Make the view mode configurable in https://www.drupal.org/project/drupal/issues/2971209
$preview = $view_builder->view($media_item, 'media_library');
}
else {
$item_label = $media_item->access('view label') ? $media_item->label() : new FormattableMarkup('@label @id', [
'@label' => $media_item->getEntityType()->getSingularLabel(),
'@id' => $media_item->id(),
]);
$preview = [
'#theme' => 'media_embed_error',
'#message' => $this->t('You do not have permission to view @item_label.', ['@item_label' => $item_label]),
];
}
$element['selection'][$delta] = [
'#theme' => 'media_library_item__widget',
'#attributes' => [
......@@ -414,22 +429,21 @@ public function formElement(FieldItemListInterface $items, $delta, array $elemen
'#value' => $this->t('Remove'),
'#media_id' => $media_item->id(),
'#attributes' => [
'aria-label' => $this->t('Remove @label', ['@label' => $media_item->label()]),
'aria-label' => $media_item->access('view label') ? $this->t('Remove @label', ['@label' => $media_item->label()]) : $this->t('Remove media'),
],
'#ajax' => [
'callback' => [static::class, 'updateWidget'],
'wrapper' => $wrapper_id,
'progress' => [
'type' => 'throbber',
'message' => $this->t('Removing @label.', ['@label' => $media_item->label()]),
'message' => $media_item->access('view label') ? $this->t('Removing @label.', ['@label' => $media_item->label()]) : $this->t('Removing media.'),
],
],
'#submit' => [[static::class, 'removeItem']],
// Prevent errors in other widgets from preventing removal.
'#limit_validation_errors' => $limit_validation_errors,
],
// @todo Make the view mode configurable in https://www.drupal.org/project/drupal/issues/2971209
'rendered_entity' => $view_builder->view($media_item, 'media_library'),
'rendered_entity' => $preview,
'target_id' => [
'#type' => 'hidden',
'#value' => $media_item->id(),
......@@ -698,9 +712,8 @@ public static function updateWidget(array $form, FormStateInterface $form_state)
// Announce the updated content to screen readers.
if ($is_remove_button) {
$announcement = new TranslatableMarkup('@label has been removed.', [
'@label' => Media::load($field_state['removed_item_id'])->label(),
]);
$media_item = Media::load($field_state['removed_item_id']);
$announcement = $media_item->access('view label') ? new TranslatableMarkup('@label has been removed.', ['@label' => $media_item->label()]) : new TranslatableMarkup('Media has been removed.');
}
else {
$new_items = count(static::getNewMediaItems($element, $form_state));
......
core/modules/media_library/tests/src/FunctionalJavascript/EntityReferenceWidgetTest.php
+ 56
0
View file @ 1dc26aef
......@@ -4,6 +4,8 @@
use Drupal\field\Entity\FieldConfig;
use Drupal\FunctionalJavascriptTests\SortableTestTrait;
use Drupal\user\Entity\Role;
use Drupal\user\RoleInterface;
/**
* Tests the Media library entity reference widget.
......@@ -579,4 +581,58 @@ protected function sortableUpdate($item, $from, $to = NULL) {
$this->getSession()->executeScript($script);
}
/**
* Tests the preview displayed by the field widget.
*/
public function testWidgetPreview() {
$assert_session = $this->assertSession();
$page = $this->getSession()->getPage();
$node = $this->drupalCreateNode([
'type' => 'basic_page',
'field_unlimited_media' => [
$this->mediaItems['Horse'],
],
]);
$media_id = $this->mediaItems['Horse']->id();
// Assert that preview is present for current user, who can view media.
$this->drupalGet($node->toUrl('edit-form'));
$assert_session->elementTextContains('css', '[data-drupal-selector="edit-field-unlimited-media-selection-0"]', 'Horse');
$remove_button = $page->find('css', '[data-drupal-selector="edit-field-unlimited-media-selection-0-remove-button"]');
$this->assertSame('Remove Horse', $remove_button->getAttribute('aria-label'));
$assert_session->pageTextNotContains('You do not have permission to view media item');
$remove_button->press();
$this->waitForText("Removing Horse.");
$this->waitForText("Horse has been removed.");
// Logout without saving.
$this->drupalLogout();
// Create a user who can edit content but not view media.
// Must remove permission from authenticated role first, otherwise the new
// user will inherit that permission.
$role = Role::load(RoleInterface::AUTHENTICATED_ID);
$role->revokePermission('view media');
$role->save();
$non_media_editor = $this->drupalCreateUser([
'access content',
'create basic_page content',
'edit any basic_page content',
]);
$this->drupalLogin($non_media_editor);
// Assert that preview does not reveal media name.
$this->drupalGet($node->toUrl('edit-form'));
// There should be no preview name.
$assert_session->elementTextNotContains('css', '[data-drupal-selector="edit-field-unlimited-media-selection-0"]', 'Horse');
// The remove button should have a generic message.
$remove_button = $page->find('css', '[data-drupal-selector="edit-field-unlimited-media-selection-0-remove-button"]');
$this->assertSame('Remove media', $remove_button->getAttribute('aria-label'));
$assert_session->pageTextContains("You do not have permission to view media item $media_id.");
// Confirm ajax text does not reveal media name.
$remove_button->press();
$this->waitForText("Removing media.");
$this->waitForText("Media has been removed.");
}
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment