Skip to content
Snippets Groups Projects
Commit 60718c0f authored by catch's avatar catch
Browse files

Issue #3048760 by Upchuk, ndobromirov, seanB, hchonov, bkosborne, Berdir:... 

Issue #3048760 by Upchuk, ndobromirov, seanB, hchonov, bkosborne, Berdir: EntityCreateAnyAccessCheck::access() too restrictive

(cherry picked from commit ee7aaf22)
parent fba5e54e
No related branches found
No related tags found
27 merge requests!11628Update file MediaLibraryWidget.php,!7564Revert "Issue #3364773 by roshnichordiya, Chris Matthews, thakurnishant_06,...,!5752Issue #3275828 by joachim, quietone, bradjones1, Berdir: document the reason...,!5627Issue #3261805: Field not saved when change of 0 on string start,!5427Issue #3338518: send credentials in ajax if configured in CORS settings.,!5395Issue #3387916 by fjgarlin, Spokje: Each GitLab job exposes user email,!5217Issue #3386607 by alexpott: Improve spell checking in commit-code-check.sh,!5064Issue #3379522 by finnsky, Gauravvvv, kostyashupenko, smustgrave, Chi: Revert...,!5040SDC ComponentElement: Transform slots scalar values to #plain_text instead of throwing an exception,!4958Issue #3392147: Whitelist IP for a Ban module.,!4942Issue #3365945: Errors: The following table(s) do not have a primary key: forum_index,!4894Issue #3280279: Add API to allow sites to opt in to upload SVG images in CKEditor 5,!4857Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!4856Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!4788Issue #3272985: RSS Feed header reverts to text/html when cached,!4716Issue #3362929: Improve 400 responses for broken/invalid image style routes,!4553Draft: Issue #2980951: Permission to see own unpublished comments in comment thread,!4273Add UUID to sections,!4192Issue #3367204: [CKEditor5] Missing dependency on drupal.ajax,!3679Issue #115801: Allow password on registration without disabling e-mail verification,!3106Issue #3017548: "Filtered HTML" text format does not support manual teaser break (<!--break-->),!3066Issue #3325175: Deprecate calling \Drupal\menu_link_content\Form\MenuLinkContentForm::_construct() with the $language_manager argument,!3004Issue #2463967: Use .user.ini file for PHP settings,!2851Issue #2264739: Allow multiple field widgets to not use tabledrag,!1484Exposed filters get values from URL when Ajax is on,!925Issue #2339235: Remove taxonomy hard dependency on node module,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links
Hide whitespace changes
Inline Side-by-side
core/lib/Drupal/Core/Entity/EntityCreateAnyAccessCheck.php
+ 10
4
View file @ 60718c0f
......@@ -3,6 +3,7 @@
namespace Drupal\Core\Entity;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Access\AccessResultReasonInterface;
use Drupal\Core\Routing\Access\AccessInterface;
use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\Core\Session\AccountInterface;
......@@ -92,11 +93,16 @@ public function access(Route $route, RouteMatchInterface $route_match, AccountIn
// Check whether an entity of any bundle may be created.
foreach ($bundles as $bundle) {
$access = $access->orIf($access_control_handler->createAccess($bundle, $account, [], TRUE));
// In case there is a least one bundle user can create entities for,
$bundle_access = $access_control_handler->createAccess($bundle, $account, [], TRUE);
$access->inheritCacheability($bundle_access);
if ($bundle_access instanceof AccessResultReasonInterface && $bundle_access->getReason() !== "" && $access->getReason() === "") {
$access->setReason($bundle_access->getReason());
}
// In case there is at least one bundle the user can create entities for,
// access is allowed.
if ($access->isAllowed()) {
break;
if ($bundle_access->isAllowed()) {
return AccessResult::allowed()->inheritCacheability($access);
}
}
......
core/modules/system/tests/modules/entity_test/entity_test.module
+ 6
0
View file @ 60718c0f
......@@ -777,6 +777,12 @@ function entity_test_entity_create_access(AccountInterface $account, $context, $
\Drupal::state()->set('entity_test_entity_create_access', TRUE);
\Drupal::state()->set('entity_test_entity_create_access_context', $context);
if ($entity_bundle === 'forbidden_access_bundle') {
// We need to cover a case in which a bundle is specifically forbidden
// from creation (as opposed to neutral access).
return AccessResult::forbidden();
}
// No opinion.
return AccessResult::neutral();
}
......
core/modules/system/tests/src/Functional/Entity/EntityAddUITest.php
+ 11
0
View file @ 60718c0f
......@@ -92,9 +92,19 @@ public function testAddPageWithBundleEntities() {
'label' => 'Test3 label',
'description' => 'My test3 description',
])->save();
// Create a bundle that the user is forbidden from creating (always).
EntityTestBundle::create([
'id' => 'forbidden_access_bundle',
'label' => 'Forbidden to create bundle',
'description' => 'A bundle that can never be created',
])->save();
$this->drupalGet('/entity_test_with_bundle/add');
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->linkExists('Test label');
$this->assertSession()->linkExists('Test2 label');
$this->assertSession()->linkNotExists('Forbidden to create bundle');
$this->assertSession()->linkNotExists('Test3 label');
$this->clickLink('Test label');
$this->assertSession()->statusCodeEquals(200);
......@@ -114,6 +124,7 @@ public function testAddPageWithBundleEntities() {
// does not have bundle specific permissions. The add bundle message is
// present as the user has bundle create permissions.
$this->drupalGet('/entity_test_with_bundle/add');
$this->assertSession()->linkNotExists('Forbidden to create bundle');
$this->assertSession()->linkNotExists('Test label');
$this->assertSession()->linkNotExists('Test2 label');
$this->assertSession()->linkNotExists('Test3 label');
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment