Issue #2064181 by klausi: Fixed Filter format access bypass on POST/PATCH.

5c88ea31 · catch · 9e5def44 · 5c88ea31 · 5c88ea31 · 5c88ea31
Commit 5c88ea31 authored Sep 20, 2013 by catch
--- a/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php
@@ -149,18 +149,14 @@ public function patch($id, EntityInterface $entity = NULL) {
    // Overwrite the received properties.
    foreach ($entity as $field_name => $field) {
      if (isset($entity->{$field_name})) {
-        if (empty($entity->{$field_name})) {
-          if (!$original_entity->get($field_name)->access('delete')) {
+        if ($field->isEmpty() && !$original_entity->get($field_name)->access('delete')) {
          throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name)));
        }
-        }
-        else {
+        $original_entity->set($field_name, $field->getValue());
        if (!$original_entity->get($field_name)->access('update')) {
          throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name)));
        }
      }
-        $original_entity->set($field_name, $field->getValue());
-      }
    }

    // Validate the received data before saving.

--- a/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php
+++ b/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php
@@ -80,8 +80,16 @@ public function testCreate() {
        $this->assertResponse(403);
        $this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.');

-        // Restore the valid test value.
+        // Try to create a field with a text format this user has no access to.
        $entity->field_test_text->value = $entity_values['field_test_text'][0]['value'];
+        $entity->field_test_text->format = 'full_html';
+        $serialized = $serializer->serialize($entity, $this->defaultFormat);
+        $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType);
+        $this->assertResponse(422);
+        $this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.');
+
+        // Restore the valid test value.
+        $entity->field_test_text->format = 'plain_text';
        $serialized = $serializer->serialize($entity, $this->defaultFormat);
      }


--- a/core/modules/rest/lib/Drupal/rest/Tests/RESTTestBase.php
+++ b/core/modules/rest/lib/Drupal/rest/Tests/RESTTestBase.php
@@ -166,7 +166,10 @@ protected function entityValues($entity_type) {
        return array(
          'name' => $this->randomName(),
          'user_id' => 1,
-          'field_test_text' => array(0 => array('value' => $this->randomString())),
+          'field_test_text' => array(0 => array(
+            'value' => $this->randomString(),
+            'format' => 'plain_text',
+          )),
        );
      case 'node':
        return array('title' => $this->randomString(), 'type' => 'resttest');

--- a/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php
+++ b/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php
@@ -51,7 +51,10 @@ public function testPatchUpdate() {
    $entity->save();

    // Create a second stub entity for overwriting a field.
-    $patch_values['field_test_text'] = array(0 => array('value' => $this->randomString()));
+    $patch_values['field_test_text'] = array(0 => array(
+      'value' => $this->randomString(),
+      'format' => 'plain_text',
+    ));
    $patch_entity = entity_create($entity_type, $patch_values);
    // We don't want to overwrite the UUID.
    unset($patch_entity->uuid);
@@ -90,7 +93,8 @@ public function testPatchUpdate() {

    // Enable access protection for the text field.
    // @see entity_test_entity_field_access()
-    $entity->field_test_text->value = 'no access value';
+    $entity->field_test_text->value = 'no delete access value';
+    $entity->field_test_text->format = 'plain_text';
    $entity->save();

    // Try to empty a field that is access protected.
@@ -99,16 +103,30 @@ public function testPatchUpdate() {

    // Re-load the entity from the database.
    $entity = entity_load($entity_type, $entity->id(), TRUE);
-    $this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.');
+    $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not deleted.');

    // Try to update an access protected field.
+    $patch_entity->get('field_test_text')->value = 'no access value';
    $serialized = $serializer->serialize($patch_entity, $this->defaultFormat);
    $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType);
    $this->assertResponse(403);

    // Re-load the entity from the database.
    $entity = entity_load($entity_type, $entity->id(), TRUE);
-    $this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.');
+    $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.');
+
+    // Try to update the field with a text format this user has no access to.
+    $patch_entity->set('field_test_text', array(
+      'value' => 'test',
+      'format' => 'full_html',
+    ));
+    $serialized = $serializer->serialize($patch_entity, $this->defaultFormat);
+    $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType);
+    $this->assertResponse(422);
+
+    // Re-load the entity from the database.
+    $entity = entity_load($entity_type, $entity->id(), TRUE);
+    $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.');

    // Restore the valid test value.
    $entity->field_test_text->value = $this->randomString();