Commit e83d8970 authored by catch's avatar catch

Issue #2351777 by chx, claudiu.cristea: Do not depend on event subscribers for...

Issue #2351777 by chx, claudiu.cristea: Do not depend on event subscribers for security: Replace AccessRouteSubscriber with build-in checks.
parent fa9b7ac8
......@@ -537,7 +537,7 @@ services:
arguments: ['@state']
router.builder:
class: Drupal\Core\Routing\RouteBuilder
arguments: ['@router.dumper', '@lock', '@event_dispatcher', '@module_handler', '@controller_resolver', '@router.builder_indicator']
arguments: ['@router.dumper', '@lock', '@event_dispatcher', '@module_handler', '@controller_resolver', '@access_manager.check_provider', '@router.builder_indicator']
router.rebuild_subscriber:
class: Drupal\Core\EventSubscriber\RouterRebuildSubscriber
arguments: ['@router.builder']
......@@ -702,11 +702,6 @@ services:
calls:
- [setContainer, ['@service_container']]
public: false
access_route_subscriber:
class: Drupal\Core\EventSubscriber\AccessRouteSubscriber
tags:
- { name: event_subscriber }
arguments: ['@access_manager.check_provider']
access_check.default:
class: Drupal\Core\Access\DefaultAccessCheck
tags:
......
<?php
/**
* @file
* Contains \Drupal\Core\EventSubscriber\AccessRouteSubscriber.
*/
namespace Drupal\Core\EventSubscriber;
use Drupal\Core\Access\CheckProviderInterface;
use Drupal\Core\Routing\RouteBuildEvent;
use Drupal\Core\Routing\RoutingEvents;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
/**
* Provides a subscriber to set access checkers on route building.
*/
class AccessRouteSubscriber implements EventSubscriberInterface {
/**
* The access manager.
*
* @var \Drupal\Core\Access\checkProviderInterface
*/
protected $checkProvider;
/**
* Constructs a new AccessSubscriber.
*
* @param \Drupal\Core\Access\CheckProviderInterface $check_provider
* The check provider that will be responsible for applying
* access checkers against routes.
*/
public function __construct(CheckProviderInterface $check_provider) {
$this->checkProvider = $check_provider;
}
/**
* Apply access checks to routes.
*
* @param \Drupal\Core\Routing\RouteBuildEvent $event
* The event to process.
*/
public function onRoutingRouteAlterSetAccessCheck(RouteBuildEvent $event) {
$this->checkProvider->setChecks($event->getRouteCollection());
}
/**
* Registers the methods in this class that should be listeners.
*
* @return array
* An array of event listener definitions.
*/
static function getSubscribedEvents() {
// Setting very low priority to ensure access checks are run after alters.
$events[RoutingEvents::ALTER][] = array('onRoutingRouteAlterSetAccessCheck', -1000);
return $events;
}
}
......@@ -2,22 +2,21 @@
/**
* @file
* Definition of Drupal\Core\Routing\RouteBuilder.
* Contains \Drupal\Core\Routing\RouteBuilder.
*/
namespace Drupal\Core\Routing;
use Drupal\Component\Discovery\YamlDiscovery;
use Drupal\Core\Access\CheckProviderInterface;
use Drupal\Core\Controller\ControllerResolverInterface;
use Drupal\Core\State\StateInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Lock\LockBackendInterface;
use Symfony\Component\EventDispatcher\Event;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\Routing\RouteCollection;
use Symfony\Component\Routing\Route;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Lock\LockBackendInterface;
/**
* Managing class for rebuilding the router table.
*/
......@@ -86,6 +85,13 @@ class RouteBuilder implements RouteBuilderInterface {
*/
protected $building = FALSE;
/**
* The check provider.
*
* @var \Drupal\Core\Access\CheckProviderInterface
*/
protected $checkProvider;
/**
* Constructs the RouteBuilder using the passed MatcherDumperInterface.
*
......@@ -99,16 +105,19 @@ class RouteBuilder implements RouteBuilderInterface {
* The module handler.
* @param \Drupal\Core\Controller\ControllerResolverInterface $controller_resolver
* The controller resolver.
* @param \Drupal\Core\Access\CheckProviderInterface $check_provider
* The check provider.
* @param \Drupal\Core\Routing\RouteBuilderIndicatorInterface $route_build_indicator
* The route build indicator.
*/
public function __construct(MatcherDumperInterface $dumper, LockBackendInterface $lock, EventDispatcherInterface $dispatcher, ModuleHandlerInterface $module_handler, ControllerResolverInterface $controller_resolver, RouteBuilderIndicatorInterface $route_build_indicator = NULL) {
public function __construct(MatcherDumperInterface $dumper, LockBackendInterface $lock, EventDispatcherInterface $dispatcher, ModuleHandlerInterface $module_handler, ControllerResolverInterface $controller_resolver, CheckProviderInterface $check_provider, RouteBuilderIndicatorInterface $route_build_indicator = NULL) {
$this->dumper = $dumper;
$this->lock = $lock;
$this->dispatcher = $dispatcher;
$this->moduleHandler = $module_handler;
$this->controllerResolver = $controller_resolver;
$this->routeBuilderIndicator = $route_build_indicator;
$this->checkProvider = $check_provider;
}
/**
......@@ -179,6 +188,8 @@ public function rebuild() {
// make it clear.
$this->dispatcher->dispatch(RoutingEvents::ALTER, new RouteBuildEvent($collection));
$this->checkProvider->setChecks($collection);
$this->dumper->addRoutes($collection);
$this->dumper->dump();
......
......@@ -78,6 +78,11 @@ class RouteBuilderTest extends UnitTestCase {
*/
protected $routeBuilderIndicator;
/**
* @var \Drupal\Core\Access\CheckProviderInterface|\PHPUnit_Framework_MockObject_MockObject
*/
protected $checkProvider;
protected function setUp() {
$this->dumper = $this->getMock('Drupal\Core\Routing\MatcherDumperInterface');
$this->lock = $this->getMock('Drupal\Core\Lock\LockBackendInterface');
......@@ -88,8 +93,9 @@ protected function setUp() {
->disableOriginalConstructor()
->getMock();
$this->routeBuilderIndicator = $this->getMock('\Drupal\Core\Routing\RouteBuilderIndicatorInterface');
$this->checkProvider = $this->getMock('\Drupal\Core\Access\CheckProviderInterface');
$this->routeBuilder = new TestRouteBuilder($this->dumper, $this->lock, $this->dispatcher, $this->moduleHandler, $this->controllerResolver, $this->routeBuilderIndicator);
$this->routeBuilder = new TestRouteBuilder($this->dumper, $this->lock, $this->dispatcher, $this->moduleHandler, $this->controllerResolver, $this->checkProvider, $this->routeBuilderIndicator);
$this->routeBuilder->setYamlDiscovery($this->yamlDiscovery);
}
......@@ -168,6 +174,11 @@ public function testRebuildWithStaticModuleRoutes() {
->method('dispatch')
->with(RoutingEvents::ALTER, $route_build_event);
// Ensure that access checks are set.
$this->checkProvider->expects($this->once())
->method('setChecks')
->with($route_collection);
// Ensure that the routes are set to the dumper and dumped.
$this->dumper->expects($this->at(0))
->method('addRoutes')
......@@ -233,6 +244,11 @@ public function testRebuildWithProviderBasedRoutes() {
->method('dispatch')
->with(RoutingEvents::ALTER, $route_build_event);
// Ensure that access checks are set.
$this->checkProvider->expects($this->once())
->method('setChecks')
->with($route_collection_filled);
// Ensure that the routes are set to the dumper and dumped.
$this->dumper->expects($this->at(0))
->method('addRoutes')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment