Commit 509723e7 authored by xjm's avatar xjm

SA-CORE-2020-008 by amateescu, xjm, catch, larowlan, greggles, dixon

parent baecb096
......@@ -186,7 +186,11 @@ public function getActiveWorkspace() {
foreach ($this->negotiatorIds as $negotiator_id) {
$negotiator = $this->classResolver->getInstanceFromDefinition($negotiator_id);
if ($negotiator->applies($request)) {
if ($active_workspace = $negotiator->getActiveWorkspace($request)) {
// By default, 'view' access is checked when a workspace is activated,
// but it should also be checked when retrieving the currently active
// workspace.
if (($negotiated_workspace = $negotiator->getActiveWorkspace($request)) && $negotiated_workspace->access('view')) {
$active_workspace = $negotiated_workspace;
break;
}
}
......
......@@ -4,6 +4,7 @@
use Drupal\Tests\BrowserTestBase;
use Drupal\Tests\UpdatePathTestTrait;
use Drupal\Tests\user\Traits\UserCreationTrait;
/**
* Tests that there is no active workspace during database updates.
......@@ -12,12 +13,14 @@
* @group Update
*/
class ActiveWorkspaceUpdateTest extends BrowserTestBase {
use UpdatePathTestTrait;
use UserCreationTrait;
/**
* {@inheritdoc}
*/
protected static $modules = ['workspaces', 'workspace_update_test'];
protected static $modules = ['workspaces'];
/**
* {@inheritdoc}
......@@ -29,6 +32,11 @@ class ActiveWorkspaceUpdateTest extends BrowserTestBase {
*/
protected function setUp() {
parent::setUp();
$this->setUpCurrentUser([], ['view any workspace']);
$this->container->get('module_installer')->install(['workspace_update_test']);
$this->rebuildContainer();
// Ensure the workspace_update_test_post_update_check_active_workspace()
// update runs.
$existing_updates = \Drupal::keyValue('post_update')->get('existing_updates', []);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment