Commit 5c2dc50b authored by catch's avatar catch

Issue #2084323 by Berdir, sandipmkhairnar, Xano, Jalandhar:...

Issue #2084323 by Berdir, sandipmkhairnar, Xano, Jalandhar: EntityForm::actions() adds 'delete' without checking access.
parent 95c69f5b
......@@ -129,6 +129,9 @@ protected function processAccessHookResults(array $access) {
* could not be determined.
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
if ($operation == 'delete' && $entity->isNew()) {
return FALSE;
}
if ($admin_permission = $this->entityType->getAdminPermission()) {
return $account->hasPermission($admin_permission);
}
......
......@@ -168,11 +168,7 @@ public function processForm($element, $form_state, $form) {
protected function actionsElement(array $form, array &$form_state) {
$element = $this->actions($form, $form_state);
// We cannot delete an entity that has not been created yet.
if ($this->entity->isNew()) {
unset($element['delete']);
}
elseif (isset($element['delete'])) {
if (isset($element['delete'])) {
// Move the delete action as last one, unless weights are explicitly
// provided.
$delete = $element['delete'];
......@@ -230,6 +226,7 @@ protected function actions(array $form, array &$form_state) {
$actions['delete'] = array(
'#type' => 'link',
'#title' => $this->t('Delete'),
'#access' => $this->entity->access('delete'),
'#attributes' => array(
'class' => array('button', 'button--danger'),
),
......
......@@ -44,6 +44,13 @@ public function id() {
return NULL;
}
/**
* {@inheritdoc}
*/
public function uuid() {
return NULL;
}
/**
* {@inheritdoc}
*/
......
......@@ -146,7 +146,6 @@ public function form(array $form, array &$form_state) {
public function actions(array $form, array &$form_state) {
$elements = parent::actions($form, $form_state);
$elements['submit']['#value'] = t('Send message');
$elements['delete']['#access'] = FALSE;
$elements['preview'] = array(
'#value' => t('Preview'),
'#validate' => array(
......
......@@ -268,7 +268,6 @@ public function submit(array $form, array &$form_state) {
protected function actions(array $form, array &$form_state) {
$actions = parent::actions($form, $form_state);
$actions['submit']['#value'] = t('Save configuration');
unset($actions['delete']);
return $actions;
}
......
......@@ -195,8 +195,6 @@ public function form(array $form, array &$form_state) {
protected function actions(array $form, array &$form_state) {
$element = parent::actions($form, $form_state);
$element['submit']['#button_type'] = 'primary';
$element['delete']['#access'] = $this->entity->access('delete');
return $element;
}
......
......@@ -178,8 +178,6 @@ public function menuNameExists($value) {
protected function actions(array $form, array &$form_state) {
$actions = parent::actions($form, $form_state);
$actions['delete']['#access'] = !$this->entity->isNew() && $this->entity->access('delete');
// Add the language configuration submit handler. This is needed because the
// submit button has custom submit handlers.
if ($this->moduleHandler->moduleExists('language')) {
......
......@@ -163,7 +163,6 @@ protected function actions(array $form, array &$form_state) {
$actions = parent::actions($form, $form_state);
$actions['submit']['#value'] = t('Save content type');
$actions['delete']['#value'] = t('Delete content type');
$actions['delete']['#access'] = $this->entity->access('delete');
return $actions;
}
......
......@@ -193,9 +193,13 @@ function testNodeTypeDeletion() {
$this->assertText(t('This action cannot be undone.'), 'The node type deletion confirmation form is available.');
// Test that forum node type could not be deleted while forum active.
$this->container->get('module_handler')->install(array('forum'));
$this->drupalGet('admin/structure/types/manage/forum');
$this->assertNoLink(t('Delete'));
$this->drupalGet('admin/structure/types/manage/forum/delete');
$this->assertResponse(403);
$this->container->get('module_handler')->uninstall(array('forum'));
$this->drupalGet('admin/structure/types/manage/forum');
$this->assertLink(t('Delete'));
$this->drupalGet('admin/structure/types/manage/forum/delete');
$this->assertResponse(200);
}
......
......@@ -181,15 +181,4 @@ public function save(array $form, array &$form_state) {
$form_state['redirect_route']['route_name'] = 'search.settings';
}
/**
* {@inheritdoc}
*/
protected function actions(array $form, array &$form_state) {
$actions = parent::actions($form, $form_state);
if ($this->entity->isDefaultSearch()) {
unset($actions['delete']);
}
return $actions;
}
}
......@@ -47,16 +47,6 @@ public function form(array $form, array &$form_state) {
return $form;
}
/**
* {@inheritdoc}
*/
protected function actions(array $form, array &$form_state) {
// Disable delete of default shortcut set.
$actions = parent::actions($form, $form_state);
$actions['delete']['#access'] = $this->entity->access('delete');
return $actions;
}
/**
* {@inheritdoc}
*/
......
......@@ -48,16 +48,6 @@ public function form(array $form, array &$form_state) {
return parent::form($form, $form_state, $entity);
}
/**
* {@inheritdoc}
*/
protected function actions(array $form, array &$form_state) {
$actions = parent::actions($form, $form_state);
// Disable delete of new and built-in roles.
$actions['delete']['#access'] = !$this->entity->isNew() && !in_array($this->entity->id(), array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID));
return $actions;
}
/**
* {@inheritdoc}
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment