Commit 97072d86 authored by webchick's avatar webchick

Issue #2150179 by swentel, larowlan: Delete confirm form for locked fields is hotlinkable.

parent fd2c3c77
......@@ -607,6 +607,13 @@ public function isMultiple() {
return ($cardinality == static::CARDINALITY_UNLIMITED) || ($cardinality > 1);
}
/**
* {@inheritdoc}
*/
public function isLocked() {
return $this->locked;
}
/**
* {@inheritdoc}
*/
......
......@@ -23,4 +23,12 @@ interface FieldInterface extends ConfigEntityInterface, FieldDefinitionInterface
*/
public function getBundles();
/**
* Returns whether the field is locked or not.
*
* @return bool
* TRUE if the field is locked.
*/
public function isLocked();
}
......@@ -4,6 +4,10 @@ services:
arguments: ['@entity.manager']
tags:
- { name: event_subscriber }
access_check.field_ui.field_delete:
class: Drupal\field_ui\Access\FieldDeleteAccessCheck
tags:
- { name: access_check, applies_to: _field_ui_field_delete_access }
access_check.field_ui.view_mode:
class: Drupal\field_ui\Access\ViewModeAccessCheck
arguments: ['@entity.manager']
......
<?php
/**
* @file
* Contains \Drupal\field_ui\Access\FieldDeleteAccessCheck.
*/
namespace Drupal\field_ui\Access;
use Drupal\Core\Routing\Access\AccessInterface;
use Drupal\Core\Session\AccountInterface;
use Symfony\Component\Routing\Route;
use Symfony\Component\HttpFoundation\Request;
/**
* Allows access to routes to be controlled by an '_access' boolean parameter.
*/
class FieldDeleteAccessCheck implements AccessInterface {
/**
* {@inheritdoc}
*/
public function access(Route $route, Request $request, AccountInterface $account) {
$field_instance = $request->attributes->get('field_instance');
if (!$field_instance->getField()->isLocked()) {
$permission = $route->getRequirement('_field_ui_field_delete_access');
return $account->hasPermission($permission) ? static::ALLOW : static::DENY;
}
return static::DENY;
}
}
......@@ -68,7 +68,7 @@ protected function alterRoutes(RouteCollection $collection, $provider) {
$route = new Route(
"$path/fields/{field_instance}/delete",
array('_entity_form' => 'field_instance.delete'),
array('_permission' => 'administer ' . $entity_type . ' fields')
array('_field_ui_field_delete_access' => 'administer ' . $entity_type . ' fields')
);
$collection->add("field_ui.delete_$entity_type", $route);
......
......@@ -415,6 +415,8 @@ function testLockedField() {
$this->assertFalse(in_array('edit', $edit_link), 'Edit option for locked field is not present the UI');
$delete_link = $this->xpath('//tr[@id=:field_name]/td[4]', array(':field_name' => $field->name));
$this->assertFalse(in_array('delete', $delete_link), 'Delete option for locked field is not present the UI');
$this->drupalGet('admin/structure/types/manage/' . $this->type . '/fields/node.' . $this->type . '.' . $field->name . '/delete');
$this->assertResponse(403);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment