Commit 1eae5210 authored by alexpott's avatar alexpott

Issue #2420559 by klausi, dawehner: REST permissions are not working as expected

parent d9a318b2
......@@ -207,7 +207,11 @@ protected function getBaseRoute($canonical_path, $method) {
'_method' => $method,
'_permission' => "restful $lower_method $this->pluginId",
), array(
'_access_mode' => AccessManagerInterface::ACCESS_MODE_ANY,
// All access restrictions on this route must grant access because the
// permission AND the CSRF protection added in
// \Drupal\rest\Routing\ResourceRoutes::alterRoutes() must be taken into
// account.
'_access_mode' => AccessManagerInterface::ACCESS_MODE_ALL,
));
return $route;
}
......
......@@ -75,6 +75,30 @@ public function testCreateResourceRestApiNotEnabled() {
$this->assertFalse(EntityTest::loadMultiple(), 'No entity has been created in the database.');
}
/**
* Ensure that an entity cannot be created without the restful permission.
*/
public function testCreateWithoutPermission() {
$entity_type = 'entity_test';
// Enables the REST service for 'entity_test' entity type.
$this->enableService('entity:' . $entity_type, 'POST');
$permissions = $this->entityPermissions($entity_type, 'create');
// Create a user without the 'restful post entity:entity_test permission.
$account = $this->drupalCreateUser($permissions);
$this->drupalLogin($account);
// Populate some entity properties before create the entity.
$entity_values = $this->entityValues($entity_type);
$entity = EntityTest::create($entity_values);
// Serialize the entity before the POST request.
$serialized = $this->serializer->serialize($entity, $this->defaultFormat, ['account' => $account]);
// Create the entity over the REST API.
$this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType);
$this->assertResponse(403);
$this->assertFalse(EntityTest::loadMultiple(), 'No entity has been created in the database.');
}
/**
* Tests several valid and invalid create requests for 'entity_test' entity type.
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment