Issue #2064181 by klausi: Fixed Filter format access bypass on POST/PATCH.

core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php

@@ -149,17 +149,13 @@ public function patch($id, EntityInterface $entity = NULL) {
     // Overwrite the received properties.
     foreach ($entity as $field_name => $field) {
       if (isset($entity->{$field_name})) {
-        if (empty($entity->{$field_name})) {
-          if (!$original_entity->get($field_name)->access('delete')) {
-            throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name)));
-          }
-        }
-        else {
-          if (!$original_entity->get($field_name)->access('update')) {
-            throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name)));
-          }
+        if ($field->isEmpty() && !$original_entity->get($field_name)->access('delete')) {
+          throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name)));
         }
         $original_entity->set($field_name, $field->getValue());
+        if (!$original_entity->get($field_name)->access('update')) {
+          throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name)));
+        }
       }
     }
 

core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php

@@ -80,8 +80,16 @@ public function testCreate() {
         $this->assertResponse(403);
         $this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.');
 
-        // Restore the valid test value.
+        // Try to create a field with a text format this user has no access to.
         $entity->field_test_text->value = $entity_values['field_test_text'][0]['value'];
+        $entity->field_test_text->format = 'full_html';
+        $serialized = $serializer->serialize($entity, $this->defaultFormat);
+        $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType);
+        $this->assertResponse(422);
+        $this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.');
+
+        // Restore the valid test value.
+        $entity->field_test_text->format = 'plain_text';
         $serialized = $serializer->serialize($entity, $this->defaultFormat);
       }
 

core/modules/rest/lib/Drupal/rest/Tests/RESTTestBase.php

@@ -166,7 +166,10 @@ protected function entityValues($entity_type) {
         return array(
           'name' => $this->randomName(),
           'user_id' => 1,
-          'field_test_text' => array(0 => array('value' => $this->randomString())),
+          'field_test_text' => array(0 => array(
+            'value' => $this->randomString(),
+            'format' => 'plain_text',
+          )),
         );
       case 'node':
         return array('title' => $this->randomString(), 'type' => 'resttest');

core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php

@@ -51,7 +51,10 @@ public function testPatchUpdate() {
     $entity->save();
 
     // Create a second stub entity for overwriting a field.
-    $patch_values['field_test_text'] = array(0 => array('value' => $this->randomString()));
+    $patch_values['field_test_text'] = array(0 => array(
+      'value' => $this->randomString(),
+      'format' => 'plain_text',
+    ));
     $patch_entity = entity_create($entity_type, $patch_values);
     // We don't want to overwrite the UUID.
     unset($patch_entity->uuid);
@@ -90,7 +93,8 @@ public function testPatchUpdate() {
 
     // Enable access protection for the text field.
     // @see entity_test_entity_field_access()
-    $entity->field_test_text->value = 'no access value';
+    $entity->field_test_text->value = 'no delete access value';
+    $entity->field_test_text->format = 'plain_text';
     $entity->save();
 
     // Try to empty a field that is access protected.
@@ -99,16 +103,30 @@ public function testPatchUpdate() {
 
     // Re-load the entity from the database.
     $entity = entity_load($entity_type, $entity->id(), TRUE);
-    $this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.');
+    $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not deleted.');
 
     // Try to update an access protected field.
+    $patch_entity->get('field_test_text')->value = 'no access value';
     $serialized = $serializer->serialize($patch_entity, $this->defaultFormat);
     $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType);
     $this->assertResponse(403);
 
     // Re-load the entity from the database.
     $entity = entity_load($entity_type, $entity->id(), TRUE);
-    $this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.');
+    $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.');
+
+    // Try to update the field with a text format this user has no access to.
+    $patch_entity->set('field_test_text', array(
+      'value' => 'test',
+      'format' => 'full_html',
+    ));
+    $serialized = $serializer->serialize($patch_entity, $this->defaultFormat);
+    $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType);
+    $this->assertResponse(422);
+
+    // Re-load the entity from the database.
+    $entity = entity_load($entity_type, $entity->id(), TRUE);
+    $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.');
 
     // Restore the valid test value.
     $entity->field_test_text->value = $this->randomString();