From 43c757167380643b5f73287a63a8739731a5b712 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Tue, 15 Feb 2022 14:32:50 -0600
Subject: [PATCH] SA-CORE-2022-003 by ciss, xjm, larowlan, benjy, mcdruid,
 jenlampton, quicksketch, Fabianx, effulgentsia

---
 includes/form.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/form.inc b/includes/form.inc
index eb68412fdd28..6ada36e458c5 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -2087,7 +2087,7 @@ function _form_builder_handle_input_element($form_id, &$element, &$form_state) {
   // #access=FALSE on an element usually allow access for some users, so forms
   // submitted with drupal_form_submit() may bypass access restriction and be
   // treated as high-privilege users instead.
-  $process_input = empty($element['#disabled']) && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
+  $process_input = empty($element['#disabled']) && ($element['#type'] !== 'value') && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
 
   // Set the element's #value property.
   if (!isset($element['#value']) && !array_key_exists('#value', $element)) {
-- 
GitLab