Commit 466759dc authored by alexpott's avatar alexpott
Browse files

Issue #2405091 by marthinal, Berdir, RavindraSingh: Cannot create user...

Issue #2405091 by marthinal, Berdir, RavindraSingh: Cannot create user entities  - {"error":"Access denied on creating field pass"}
parent 49001708
......@@ -171,11 +171,8 @@ public function denormalize($data, $class, $format = NULL, array $context = arra
}
}
// Special handling for PATCH: pass the names of the fields whose values
// should be merged.
if (isset($context['request_method']) && $context['request_method'] == 'patch') {
$entity->_restPatchFields = array_keys($data);
}
// Pass the names of the fields whose values can be merged.
$entity->_restSubmittedFields = array_keys($data);
// Iterate through remaining items in data array. These should all
// correspond to fields.
......
......@@ -197,6 +197,6 @@ public function testPatchDenormailzation() {
// Check that the one field got populated as expected.
$this->assertEqual($data['field_test_text'], $denormalized->get('field_test_text')->getValue());
// Check the custom property that contains the list of fields to merge.
$this->assertEqual($denormalized->_restPatchFields, ['field_test_text']);
$this->assertEqual($denormalized->_restSubmittedFields, ['field_test_text']);
}
}
......@@ -87,9 +87,13 @@ public function post(EntityInterface $entity = NULL) {
if (!$entity->isNew()) {
throw new BadRequestHttpException('Only new entities can be created');
}
foreach ($entity as $field_name => $field) {
if (!$field->access('create')) {
throw new AccessDeniedHttpException(String::format('Access denied on creating field ', array('@field' => $field_name)));
// Only check 'edit' permissions for fields that were actually
// submitted by the user. Field access makes no difference between 'create'
// and 'update', so the 'edit' operation is used here.
foreach ($entity->_restSubmittedFields as $key => $field_name) {
if (!$entity->get($field_name)->access('edit')) {
throw new AccessDeniedHttpException(String::format('Access denied on creating field @field', array('@field' => $field_name)));
}
}
......@@ -134,7 +138,7 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity
// Overwrite the received properties.
$langcode_key = $entity->getEntityType()->getKey('langcode');
foreach ($entity->_restPatchFields as $field_name) {
foreach ($entity->_restSubmittedFields as $field_name) {
$field = $entity->get($field_name);
// It is not possible to set the language to NULL as it is automatically
// re-initialized. As it must not be empty, skip it if it is.
......
This diff is collapsed.
......@@ -9,7 +9,9 @@
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Url;
use Drupal\node\NodeInterface;
use Drupal\simpletest\WebTestBase;
use Drupal\user\UserInterface;
/**
* Test helper class that provides a REST client method to send HTTP requests.
......@@ -67,10 +69,13 @@ protected function setUp() {
* A Url object or system path.
* @param string $method
* HTTP method, one of GET, POST, PUT or DELETE.
* @param array $body
* @param string $body
* The body for POST and PUT.
* @param string $mime_type
* The MIME type of the transmitted content.
*
* @return string
* The content returned from the request.
*/
protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) {
if (!isset($mime_type)) {
......@@ -345,4 +350,25 @@ protected function loadEntityFromLocationHeader($location_url) {
return entity_load($this->testEntityType, $id);
}
/**
* Remove node fields that can only be written by an admin user.
*
* @param \Drupal\node\NodeInterface $node
* The node to remove fields where non-administrative users cannot write.
*
* @return \Drupal\node\NodeInterface
* The node with removed fields.
*/
protected function removeNodeFieldsForNonAdminUsers(NodeInterface $node) {
$node->set('status', NULL);
$node->set('created', NULL);
$node->set('changed', NULL);
$node->set('promote', NULL);
$node->set('sticky', NULL);
$node->set('revision_timestamp', NULL);
$node->set('uid', NULL);
return $node;
}
}
......@@ -40,7 +40,7 @@
* },
* "translation" = "Drupal\user\ProfileTranslationHandler"
* },
* admin_permission = "administer user",
* admin_permission = "administer users",
* base_table = "users",
* data_table = "users_field_data",
* label_callback = "user_format_name",
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment