Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API...

Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission (cherry picked from commit 257191b8)

Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API...
30ac531e · Dave Long · 4456b257 · 30ac531e · 30ac531e
Verified Commit 30ac531e authored 1 year ago by Dave Long
--- a/core/modules/jsonapi/jsonapi.module
+++ b/core/modules/jsonapi/jsonapi.module
@@ -183,6 +183,7 @@ function jsonapi_jsonapi_block_content_filter_access(EntityTypeInterface $entity
  // \Drupal\jsonapi\Access\TemporaryQueryGuard adds the condition for
  // (isReusable()), so this does not have to.
  return ([
+    JSONAPI_FILTER_AMONG_ALL => AccessResult::allowedIfHasPermission($account, 'access block library'),
    JSONAPI_FILTER_AMONG_PUBLISHED => AccessResult::allowed(),
  ]);
 }

--- a/core/modules/jsonapi/tests/src/Functional/BlockContentTest.php
+++ b/core/modules/jsonapi/tests/src/Functional/BlockContentTest.php
@@ -68,6 +68,11 @@ class BlockContentTest extends ResourceTestBase {
  protected function setUpAuthorization($method) {
    switch ($method) {
      case 'GET':
+        $this->grantPermissionsToTestedRole([
+          'access block library',
+        ]);
+        break;
+
      case 'PATCH':
        $this->grantPermissionsToTestedRole([
          'access block library',
@@ -86,6 +91,14 @@ protected function setUpAuthorization($method) {
    }
  }

+  /**
+   * {@inheritdoc}
+   */
+  protected function setUpRevisionAuthorization($method) {
+    parent::setUpRevisionAuthorization($method);
+    $this->grantPermissionsToTestedRole(['view any basic block content history']);
+  }
+
  /**
   * {@inheritdoc}
   */