Skip to content
Snippets Groups Projects
Unverified Commit 49f78bc3 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3124302 by Sam152, seanB: The media library should perform access... 

Issue #3124302 by Sam152, seanB: The media library should perform access checks against the revision of the entity being edited

(cherry picked from commit d901cf487be7462a4bd54abaf5d1b6f23a992160)
parent 8ecae1e3
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
core/modules/media_library/src/MediaLibraryFieldWidgetOpener.php
+ 5
1
View file @ 49f78bc3
...@@ -69,7 +69,11 @@ public function checkAccess(MediaLibraryState $state, AccountInterface $account) ...@@ -69,7 +69,11 @@ public function checkAccess(MediaLibraryState $state, AccountInterface $account)
$storage = $this->entityTypeManager->getStorage($entity_type_id); $storage = $this->entityTypeManager->getStorage($entity_type_id);
$access_handler = $this->entityTypeManager->getAccessControlHandler($entity_type_id); $access_handler = $this->entityTypeManager->getAccessControlHandler($entity_type_id);
if ($parameters['entity_id']) { if (!empty($parameters['revision_id'])) {
$entity = $storage->loadRevision($parameters['revision_id']);
$entity_access = $access_handler->access($entity, 'update', $account, TRUE);
}
elseif ($parameters['entity_id']) {
$entity = $storage->load($parameters['entity_id']); $entity = $storage->load($parameters['entity_id']);
$entity_access = $access_handler->access($entity, 'update', $account, TRUE); $entity_access = $access_handler->access($entity, 'update', $account, TRUE);
} }
......
core/modules/media_library/src/Plugin/Field/FieldWidget/MediaLibraryWidget.php
+ 4
0
View file @ 49f78bc3
...@@ -465,6 +465,10 @@ public function formElement(FieldItemListInterface $items, $delta, array $elemen ...@@ -465,6 +465,10 @@ public function formElement(FieldItemListInterface $items, $delta, array $elemen
// tamper-proof hash in a consistent way. // tamper-proof hash in a consistent way.
if (!$entity->isNew()) { if (!$entity->isNew()) {
$opener_parameters['entity_id'] = (string) $entity->id(); $opener_parameters['entity_id'] = (string) $entity->id();
if ($entity->getEntityType()->isRevisionable()) {
$opener_parameters['revision_id'] = (string) $entity->getRevisionId();
}
} }
$state = MediaLibraryState::create('media_library.opener.field_widget', $allowed_media_type_ids, $selected_type_id, $remaining, $opener_parameters); $state = MediaLibraryState::create('media_library.opener.field_widget', $allowed_media_type_ids, $selected_type_id, $remaining, $opener_parameters);
......
core/modules/media_library/tests/src/Kernel/MediaLibraryWidgetTest.php 0 → 100644
+ 158
0
View file @ 49f78bc3
<?php
namespace Drupal\Tests\media_library\Kernel;
use Drupal\Core\Field\BaseFieldDefinition;
use Drupal\Core\Form\FormState;
use Drupal\entity_test\Entity\EntityTest;
use Drupal\entity_test\Entity\EntityTestRev;
use Drupal\KernelTests\KernelTestBase;
use Drupal\media\Entity\MediaType;
use Drupal\Tests\user\Traits\UserCreationTrait;
/**
* Tests the media library widget.
*
* @coversDefaultClass \Drupal\media_library\Plugin\Field\FieldWidget\MediaLibraryWidget
* @group media_library
*/
class MediaLibraryWidgetTest extends KernelTestBase {
use UserCreationTrait;
/**
* {@inheritdoc}
*/
protected static $modules = [
'media',
'media_library',
'field',
'image',
'system',
'views',
'user',
'entity_test',
];
/**
* An admin user.
*
* @var \Drupal\user\Entity\User
*/
protected $adminUser;
/**
* {@inheritdoc}
*/
protected function setUp(): void {
parent::setUp();
$this->baseField = BaseFieldDefinition::create('entity_reference')
->setName('media')
->setSetting('target_type', 'media')
->setSetting('handler_settings', ['target_bundles' => ['test_type' => 'test_type']]);
$this->container->get('state')->set('entity_test.additional_base_field_definitions', [
'media' => $this->baseField,
]);
$this->container->get('state')->set('entity_test_rev.additional_base_field_definitions', [
'media' => $this->baseField,
]);
$this->installEntitySchema('entity_test');
$this->installEntitySchema('entity_test_rev');
$this->installEntitySchema('user');
$this->installSchema('system', ['sequences', 'key_value_expire']);
$this->installConfig([
'system',
'image',
'media',
'media_library',
]);
MediaType::create([
'id' => 'test_type',
'label' => 'Test type',
'source' => 'image',
])->save();
// Create user 1 so the test user doesn't bypass access control.
$this->createUser();
$this->adminUser = $this->createUser([
'administer entity_test content',
'view media',
]);
}
/**
* Test the media library widget access.
*/
public function testWidgetAccess() {
$entity = EntityTest::create([
'name' => 'sample entity',
]);
$entity->save();
$element = $this->buildWidgetForm($entity);
$this->assertMediaLibraryStateAccess(TRUE, $this->adminUser, $element['open_button']['#media_library_state']);
}
/**
* Test the media library widget access with a revisionable entity type.
*/
public function testRevisionableWidgetAccess() {
$allowed_revision = EntityTestRev::create([
'name' => 'allowed_access',
]);
$allowed_revision->save();
$denied_revision = clone $allowed_revision;
$denied_revision->setNewRevision();
$denied_revision->name = 'forbid_access';
$denied_revision->save();
$element = $this->buildWidgetForm($allowed_revision);
$this->assertMediaLibraryStateAccess(TRUE, $this->adminUser, $element['open_button']['#media_library_state']);
$element = $this->buildWidgetForm($denied_revision);
$this->assertMediaLibraryStateAccess(FALSE, $this->adminUser, $element['open_button']['#media_library_state']);
}
/**
* Assert if the given user has access to the given state.
*
* @param bool $access
* The access result to assert.
* @param \Drupal\Core\Session\AccountInterface $user
* The user account.
* @param \Drupal\media_library\MediaLibraryState $state
* The media library state.
*
* @throws \Exception
*/
protected function assertMediaLibraryStateAccess($access, $user, $state) {
$ui_builder = $this->container->get('media_library.ui_builder');
$access_result = $ui_builder->checkAccess($user, $state);
$this->assertEquals($access, $access_result->isAllowed());
}
/**
* Build the media library widget form.
*
* @param \Drupal\Core\Entity\EntityInterface $entity
* The entity to build the form for.
*
* @return array
* A built form array of the media library widget.
*/
protected function buildWidgetForm($entity) {
$form = [
'#parents' => [],
];
return $this->container->get('plugin.manager.field.widget')->createInstance('media_library_widget', [
'field_definition' => $this->baseField,
'settings' => [],
'third_party_settings' => [],
])->formElement($entity->media, 0, ['#description' => ''], $form, new FormState());
}
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment