Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
5c88ea31
Commit
5c88ea31
authored
Sep 20, 2013
by
catch
Browse files
Issue
#2064181
by klausi: Fixed Filter format access bypass on POST/PATCH.
parent
9e5def44
Changes
4
Hide whitespace changes
Inline
Side-by-side
core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php
View file @
5c88ea31
...
...
@@ -149,17 +149,13 @@ public function patch($id, EntityInterface $entity = NULL) {
// Overwrite the received properties.
foreach
(
$entity
as
$field_name
=>
$field
)
{
if
(
isset
(
$entity
->
{
$field_name
}))
{
if
(
empty
(
$entity
->
{
$field_name
}))
{
if
(
!
$original_entity
->
get
(
$field_name
)
->
access
(
'delete'
))
{
throw
new
AccessDeniedHttpException
(
t
(
'Access denied on deleting field @field.'
,
array
(
'@field'
=>
$field_name
)));
}
}
else
{
if
(
!
$original_entity
->
get
(
$field_name
)
->
access
(
'update'
))
{
throw
new
AccessDeniedHttpException
(
t
(
'Access denied on updating field @field.'
,
array
(
'@field'
=>
$field_name
)));
}
if
(
$field
->
isEmpty
()
&&
!
$original_entity
->
get
(
$field_name
)
->
access
(
'delete'
))
{
throw
new
AccessDeniedHttpException
(
t
(
'Access denied on deleting field @field.'
,
array
(
'@field'
=>
$field_name
)));
}
$original_entity
->
set
(
$field_name
,
$field
->
getValue
());
if
(
!
$original_entity
->
get
(
$field_name
)
->
access
(
'update'
))
{
throw
new
AccessDeniedHttpException
(
t
(
'Access denied on updating field @field.'
,
array
(
'@field'
=>
$field_name
)));
}
}
}
...
...
core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php
View file @
5c88ea31
...
...
@@ -80,8 +80,16 @@ public function testCreate() {
$this
->
assertResponse
(
403
);
$this
->
assertFalse
(
entity_load_multiple
(
$entity_type
,
NULL
,
TRUE
),
'No entity has been created in the database.'
);
//
Restore the valid
te
s
t
value
.
//
Try to create a field with a
te
x
t
format this user has no access to
.
$entity
->
field_test_text
->
value
=
$entity_values
[
'field_test_text'
][
0
][
'value'
];
$entity
->
field_test_text
->
format
=
'full_html'
;
$serialized
=
$serializer
->
serialize
(
$entity
,
$this
->
defaultFormat
);
$this
->
httpRequest
(
'entity/'
.
$entity_type
,
'POST'
,
$serialized
,
$this
->
defaultMimeType
);
$this
->
assertResponse
(
422
);
$this
->
assertFalse
(
entity_load_multiple
(
$entity_type
,
NULL
,
TRUE
),
'No entity has been created in the database.'
);
// Restore the valid test value.
$entity
->
field_test_text
->
format
=
'plain_text'
;
$serialized
=
$serializer
->
serialize
(
$entity
,
$this
->
defaultFormat
);
}
...
...
core/modules/rest/lib/Drupal/rest/Tests/RESTTestBase.php
View file @
5c88ea31
...
...
@@ -166,7 +166,10 @@ protected function entityValues($entity_type) {
return
array
(
'name'
=>
$this
->
randomName
(),
'user_id'
=>
1
,
'field_test_text'
=>
array
(
0
=>
array
(
'value'
=>
$this
->
randomString
())),
'field_test_text'
=>
array
(
0
=>
array
(
'value'
=>
$this
->
randomString
(),
'format'
=>
'plain_text'
,
)),
);
case
'node'
:
return
array
(
'title'
=>
$this
->
randomString
(),
'type'
=>
'resttest'
);
...
...
core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php
View file @
5c88ea31
...
...
@@ -51,7 +51,10 @@ public function testPatchUpdate() {
$entity
->
save
();
// Create a second stub entity for overwriting a field.
$patch_values
[
'field_test_text'
]
=
array
(
0
=>
array
(
'value'
=>
$this
->
randomString
()));
$patch_values
[
'field_test_text'
]
=
array
(
0
=>
array
(
'value'
=>
$this
->
randomString
(),
'format'
=>
'plain_text'
,
));
$patch_entity
=
entity_create
(
$entity_type
,
$patch_values
);
// We don't want to overwrite the UUID.
unset
(
$patch_entity
->
uuid
);
...
...
@@ -90,7 +93,8 @@ public function testPatchUpdate() {
// Enable access protection for the text field.
// @see entity_test_entity_field_access()
$entity
->
field_test_text
->
value
=
'no access value'
;
$entity
->
field_test_text
->
value
=
'no delete access value'
;
$entity
->
field_test_text
->
format
=
'plain_text'
;
$entity
->
save
();
// Try to empty a field that is access protected.
...
...
@@ -99,16 +103,30 @@ public function testPatchUpdate() {
// Re-load the entity from the database.
$entity
=
entity_load
(
$entity_type
,
$entity
->
id
(),
TRUE
);
$this
->
assertEqual
(
$entity
->
field_test_text
->
value
,
'no access value'
,
'Text field was not
upda
ted.'
);
$this
->
assertEqual
(
$entity
->
field_test_text
->
value
,
'no
delete
access value'
,
'Text field was not
dele
ted.'
);
// Try to update an access protected field.
$patch_entity
->
get
(
'field_test_text'
)
->
value
=
'no access value'
;
$serialized
=
$serializer
->
serialize
(
$patch_entity
,
$this
->
defaultFormat
);
$this
->
httpRequest
(
'entity/'
.
$entity_type
.
'/'
.
$entity
->
id
(),
'PATCH'
,
$serialized
,
$this
->
defaultMimeType
);
$this
->
assertResponse
(
403
);
// Re-load the entity from the database.
$entity
=
entity_load
(
$entity_type
,
$entity
->
id
(),
TRUE
);
$this
->
assertEqual
(
$entity
->
field_test_text
->
value
,
'no access value'
,
'Text field was not updated.'
);
$this
->
assertEqual
(
$entity
->
field_test_text
->
value
,
'no delete access value'
,
'Text field was not updated.'
);
// Try to update the field with a text format this user has no access to.
$patch_entity
->
set
(
'field_test_text'
,
array
(
'value'
=>
'test'
,
'format'
=>
'full_html'
,
));
$serialized
=
$serializer
->
serialize
(
$patch_entity
,
$this
->
defaultFormat
);
$this
->
httpRequest
(
'entity/'
.
$entity_type
.
'/'
.
$entity
->
id
(),
'PATCH'
,
$serialized
,
$this
->
defaultMimeType
);
$this
->
assertResponse
(
422
);
// Re-load the entity from the database.
$entity
=
entity_load
(
$entity_type
,
$entity
->
id
(),
TRUE
);
$this
->
assertEqual
(
$entity
->
field_test_text
->
value
,
'no delete access value'
,
'Text field was not updated.'
);
// Restore the valid test value.
$entity
->
field_test_text
->
value
=
$this
->
randomString
();
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment