Unverified Commit 2971ea9d authored by larowlan's avatar larowlan
Browse files

Issue #2934520 by tstoeckler: Avoid information disclosure by timing attack in...

Issue #2934520 by tstoeckler: Avoid information disclosure by timing attack in EntityResource::patch()
parent be569c75
......@@ -288,7 +288,7 @@ protected function checkPatchFieldAccess(FieldItemListInterface $original_field,
// the user has no legitimate way of knowing the current value of fields
// that they are not allowed to view, and we must not make the presence or
// absence of a 403 response a way to find that out.
if ($original_field->equals($received_field) && $original_field->access('view')) {
if ($original_field->access('view') && $original_field->equals($received_field)) {
return FALSE;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment