From 80c942650a00ee01621e9207399bc05c0f8c22f1 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Wed, 20 Jul 2022 10:11:30 -0500
Subject: [PATCH] SA-CORE-2022-013 by prudloff, tim.plunkett, Heine,
 effulgentsia, xjm, lauriii, longwave, larowlan

---
 core/lib/Drupal/Core/Form/FormBuilder.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
index 4ed0faed77bf..98eb32634296 100644
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -1217,7 +1217,12 @@ protected function handleInputElement($form_id, &$element, FormStateInterface &$
     // #access=FALSE on an element usually allow access for some users, so forms
     // submitted with self::submitForm() may bypass access restriction and be
     // treated as high-privilege users instead.
-    $process_input = empty($element['#disabled']) && !in_array($element['#type'], ['item', 'value'], TRUE) && (($form_state->isProgrammed() && $form_state->isBypassingProgrammedAccessChecks()) || ($form_state->isProcessingInput() && (!isset($element['#access']) || $element['#access'])));
+    $process_input = empty($element['#disabled']) &&
+      !in_array($element['#type'], ['item', 'value'], TRUE) &&
+      (
+        ($form_state->isProgrammed() && $form_state->isBypassingProgrammedAccessChecks()) ||
+        ($form_state->isProcessingInput() && (!isset($element['#access']) || (($element['#access'] instanceof AccessResultInterface && $element['#access']->isAllowed()) || ($element['#access'] === TRUE))))
+      );
 
     // Set the element's #value property.
     if (!isset($element['#value']) && !array_key_exists('#value', $element)) {
-- 
GitLab