Commit 5c88ea31 authored by catch's avatar catch

Issue #2064181 by klausi: Fixed Filter format access bypass on POST/PATCH.

parent 9e5def44
......@@ -149,17 +149,13 @@ public function patch($id, EntityInterface $entity = NULL) {
// Overwrite the received properties.
foreach ($entity as $field_name => $field) {
if (isset($entity->{$field_name})) {
if (empty($entity->{$field_name})) {
if (!$original_entity->get($field_name)->access('delete')) {
throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name)));
}
}
else {
if (!$original_entity->get($field_name)->access('update')) {
throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name)));
}
if ($field->isEmpty() && !$original_entity->get($field_name)->access('delete')) {
throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name)));
}
$original_entity->set($field_name, $field->getValue());
if (!$original_entity->get($field_name)->access('update')) {
throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name)));
}
}
}
......
......@@ -80,8 +80,16 @@ public function testCreate() {
$this->assertResponse(403);
$this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.');
// Restore the valid test value.
// Try to create a field with a text format this user has no access to.
$entity->field_test_text->value = $entity_values['field_test_text'][0]['value'];
$entity->field_test_text->format = 'full_html';
$serialized = $serializer->serialize($entity, $this->defaultFormat);
$this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType);
$this->assertResponse(422);
$this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.');
// Restore the valid test value.
$entity->field_test_text->format = 'plain_text';
$serialized = $serializer->serialize($entity, $this->defaultFormat);
}
......
......@@ -166,7 +166,10 @@ protected function entityValues($entity_type) {
return array(
'name' => $this->randomName(),
'user_id' => 1,
'field_test_text' => array(0 => array('value' => $this->randomString())),
'field_test_text' => array(0 => array(
'value' => $this->randomString(),
'format' => 'plain_text',
)),
);
case 'node':
return array('title' => $this->randomString(), 'type' => 'resttest');
......
......@@ -51,7 +51,10 @@ public function testPatchUpdate() {
$entity->save();
// Create a second stub entity for overwriting a field.
$patch_values['field_test_text'] = array(0 => array('value' => $this->randomString()));
$patch_values['field_test_text'] = array(0 => array(
'value' => $this->randomString(),
'format' => 'plain_text',
));
$patch_entity = entity_create($entity_type, $patch_values);
// We don't want to overwrite the UUID.
unset($patch_entity->uuid);
......@@ -90,7 +93,8 @@ public function testPatchUpdate() {
// Enable access protection for the text field.
// @see entity_test_entity_field_access()
$entity->field_test_text->value = 'no access value';
$entity->field_test_text->value = 'no delete access value';
$entity->field_test_text->format = 'plain_text';
$entity->save();
// Try to empty a field that is access protected.
......@@ -99,16 +103,30 @@ public function testPatchUpdate() {
// Re-load the entity from the database.
$entity = entity_load($entity_type, $entity->id(), TRUE);
$this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.');
$this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not deleted.');
// Try to update an access protected field.
$patch_entity->get('field_test_text')->value = 'no access value';
$serialized = $serializer->serialize($patch_entity, $this->defaultFormat);
$this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType);
$this->assertResponse(403);
// Re-load the entity from the database.
$entity = entity_load($entity_type, $entity->id(), TRUE);
$this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.');
$this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.');
// Try to update the field with a text format this user has no access to.
$patch_entity->set('field_test_text', array(
'value' => 'test',
'format' => 'full_html',
));
$serialized = $serializer->serialize($patch_entity, $this->defaultFormat);
$this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType);
$this->assertResponse(422);
// Re-load the entity from the database.
$entity = entity_load($entity_type, $entity->id(), TRUE);
$this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.');
// Restore the valid test value.
$entity->field_test_text->value = $this->randomString();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment