From 6ef6a009ff263220b0aaab9e914b59dd33e4fccb Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Thu, 11 Jul 2024 12:30:19 +0100
Subject: [PATCH] Issue #3412420 by acbramley, douggreen, Hardik_Patel_12, xjm,
 smustgrave, larowlan: BlockContentAccessControlHandler requires access block
 library permission for create

---
 .../block_content/src/BlockContentAccessControlHandler.php | 4 +---
 .../tests/src/Functional/BlockContentCreationTest.php      | 7 +++++++
 .../src/Functional/Rest/BlockContentResourceTestBase.php   | 6 +++---
 .../jsonapi/tests/src/Functional/BlockContentTest.php      | 4 ++--
 4 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/core/modules/block_content/src/BlockContentAccessControlHandler.php b/core/modules/block_content/src/BlockContentAccessControlHandler.php
index 13d4fc1d0eba..34d5dd6e5ed0 100644
--- a/core/modules/block_content/src/BlockContentAccessControlHandler.php
+++ b/core/modules/block_content/src/BlockContentAccessControlHandler.php
@@ -107,10 +107,8 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
   protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
     return AccessResult::allowedIfHasPermissions($account, [
       'create ' . $entity_bundle . ' block content',
-      'access block library',
-    ])->orIf(AccessResult::allowedIfHasPermissions($account, [
       'administer block content',
-    ]));
+    ], 'OR');
   }
 
 }
diff --git a/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php b/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php
index f0602f0b5ce6..d6d500dbaed3 100644
--- a/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php
+++ b/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php
@@ -74,6 +74,13 @@ public function testBlockContentCreation(): void {
     // Check that the block exists in the database.
     $block = $this->getBlockByLabel($edit['info[0][value]']);
     $this->assertNotEmpty($block, 'Content Block found in database.');
+
+    // Ensure a user with just the create permission can access the page.
+    $this->drupalLogin($this->drupalCreateUser([
+      'create basic block content',
+    ]));
+    $this->drupalGet('block/add/basic');
+    $this->assertSession()->statusCodeEquals(200);
   }
 
   /**
diff --git a/core/modules/block_content/tests/src/Functional/Rest/BlockContentResourceTestBase.php b/core/modules/block_content/tests/src/Functional/Rest/BlockContentResourceTestBase.php
index f3af50a1f58c..2bdadff5e2dd 100644
--- a/core/modules/block_content/tests/src/Functional/Rest/BlockContentResourceTestBase.php
+++ b/core/modules/block_content/tests/src/Functional/Rest/BlockContentResourceTestBase.php
@@ -47,7 +47,7 @@ protected function setUpAuthorization($method) {
         break;
 
       case 'POST':
-        $this->grantPermissionsToTestedRole(['access block library', 'create basic block content']);
+        $this->grantPermissionsToTestedRole(['create basic block content']);
         break;
 
       case 'DELETE':
@@ -199,7 +199,7 @@ protected function getExpectedUnauthorizedAccessMessage($method) {
     if (!$this->resourceConfigStorage->load(static::$resourceConfigId)) {
       return match ($method) {
         'GET', 'PATCH' => "The 'edit any basic block content' permission is required.",
-        'POST' => "The following permissions are required: 'create basic block content' AND 'access block library'.",
+        'POST' => "The following permissions are required: 'create basic block content' OR 'administer block content'.",
         'DELETE' => "The 'delete any basic block content' permission is required.",
         default => parent::getExpectedUnauthorizedAccessMessage($method),
       };
@@ -207,7 +207,7 @@ protected function getExpectedUnauthorizedAccessMessage($method) {
     return match ($method) {
       'GET' => "The 'access block library' permission is required.",
       'PATCH' => "The 'edit any basic block content' permission is required.",
-      'POST' => "The following permissions are required: 'create basic block content' AND 'access block library'.",
+      'POST' => "The following permissions are required: 'create basic block content' OR 'administer block content'.",
       'DELETE' => "The 'delete any basic block content' permission is required.",
       default => parent::getExpectedUnauthorizedAccessMessage($method),
     };
diff --git a/core/modules/jsonapi/tests/src/Functional/BlockContentTest.php b/core/modules/jsonapi/tests/src/Functional/BlockContentTest.php
index 7d35326abc63..125c9120bca7 100644
--- a/core/modules/jsonapi/tests/src/Functional/BlockContentTest.php
+++ b/core/modules/jsonapi/tests/src/Functional/BlockContentTest.php
@@ -83,7 +83,7 @@ protected function setUpAuthorization($method) {
         break;
 
       case 'POST':
-        $this->grantPermissionsToTestedRole(['access block library', 'create basic block content']);
+        $this->grantPermissionsToTestedRole(['create basic block content']);
         break;
 
       case 'DELETE':
@@ -220,7 +220,7 @@ protected function getExpectedUnauthorizedAccessMessage($method) {
     return match ($method) {
       'GET' => "The 'access block library' permission is required.",
       'PATCH' => "The 'edit any basic block content' permission is required.",
-      'POST' => "The following permissions are required: 'create basic block content' AND 'access block library'.",
+      'POST' => "The following permissions are required: 'create basic block content' OR 'administer block content'.",
       'DELETE' => "The 'delete any basic block content' permission is required.",
       default => parent::getExpectedUnauthorizedAccessMessage($method),
     };
-- 
GitLab