Unverified Commit 73d9d9b7 authored by alexpott's avatar alexpott

Issue #3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update...

Issue #3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation
parent 030a9cef
......@@ -123,7 +123,7 @@ public function validate($value, Constraint $constraint) {
else {
// If we're sure the transition exists, make sure the user has permission
// to use it.
if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser)) {
if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser, $entity)) {
$this->context->addViolation($constraint->invalidTransitionAccess, [
'%original_state' => $original_state->label(),
'%new_state' => $new_state->label(),
......
......@@ -52,7 +52,10 @@ public function getValidTransitions(ContentEntityInterface $entity, AccountInter
/**
* {@inheritdoc}
*/
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user) {
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL) {
if ($entity === NULL) {
@trigger_error(sprintf('Omitting the $entity parameter from %s is deprecated and will be required in Drupal 9.0.0.', __METHOD__), E_USER_DEPRECATED);
}
$transition = $workflow->getTypePlugin()->getTransitionFromStateToState($original_state->id(), $new_state->id());
return $user->hasPermission('use ' . $workflow->id() . ' transition ' . $transition->id());
}
......
......@@ -36,10 +36,13 @@ public function getValidTransitions(ContentEntityInterface $entity, AccountInter
* The new workflow state.
* @param \Drupal\Core\Session\AccountInterface $user
* The user to validate.
* @param \Drupal\Core\Entity\ContentEntityInterface $entity
* (optional) The entity to be transitioned. Omitting this parameter is
* deprecated and will be required in Drupal 9.0.0.
*
* @return bool
* Returns TRUE if transition is valid, otherwise FALSE.
*/
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user);
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL);
}
......@@ -10,6 +10,7 @@
use Drupal\Tests\UnitTestCase;
use Drupal\workflow_type_test\Plugin\WorkflowType\TestType;
use Drupal\workflows\Entity\Workflow;
use Drupal\workflows\State;
use Drupal\workflows\WorkflowTypeManager;
use Prophecy\Argument;
......@@ -19,6 +20,38 @@
*/
class StateTransitionValidationTest extends UnitTestCase {
/**
* A test workflow.
*
* @var \Drupal\workflows\WorkflowInterface
*/
protected $workflow;
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
// Create a container so that the plugin manager and workflow type can be
// mocked.
$container = new ContainerBuilder();
$workflow_manager = $this->prophesize(WorkflowTypeManager::class);
$workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
$container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
\Drupal::setContainer($container);
$this->workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
$this->workflow
->getTypePlugin()
->addState('draft', 'draft')
->addState('needs_review', 'needs_review')
->addState('published', 'published')
->addTransition('draft', 'draft', ['draft'], 'draft')
->addTransition('review', 'review', ['draft'], 'needs_review')
->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
}
/**
* Verifies user-aware transition validation.
*
......@@ -47,7 +80,10 @@ public function testUserSensitiveValidTransitions($from_id, $to_id, $permission,
$entity->moderation_state = new \stdClass();
$entity->moderation_state->value = $from_id;
$validator = new StateTransitionValidation($this->setUpModerationInformation($entity));
$moderation_info = $this->prophesize(ModerationInformationInterface::class);
$moderation_info->getWorkflowForEntity($entity)->willReturn($this->workflow);
$validator = new StateTransitionValidation($moderation_info->reveal());
$has_transition = FALSE;
foreach ($validator->getValidTransitions($entity, $user->reveal()) as $transition) {
if ($transition->to()->id() === $to_id) {
......@@ -58,27 +94,17 @@ public function testUserSensitiveValidTransitions($from_id, $to_id, $permission,
$this->assertSame($result, $has_transition);
}
protected function setUpModerationInformation(ContentEntityInterface $entity) {
// Create a container so that the plugin manager and workflow type can be
// mocked.
$container = new ContainerBuilder();
$workflow_manager = $this->prophesize(WorkflowTypeManager::class);
$workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
$container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
\Drupal::setContainer($container);
$workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
$workflow
->getTypePlugin()
->addState('draft', 'draft')
->addState('needs_review', 'needs_review')
->addState('published', 'published')
->addTransition('draft', 'draft', ['draft'], 'draft')
->addTransition('review', 'review', ['draft'], 'needs_review')
->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
/**
* @expectedDeprecation Omitting the $entity parameter from Drupal\content_moderation\StateTransitionValidation::isTransitionValid is deprecated and will be required in Drupal 9.0.0.
* @group legacy
*/
public function testDeprecatedEntityParameter() {
$moderation_info = $this->prophesize(ModerationInformationInterface::class);
$moderation_info->getWorkflowForEntity($entity)->willReturn($workflow);
return $moderation_info->reveal();
$state = new State($this->workflow->getTypePlugin(), 'draft', 'draft');
$user = $this->prophesize(AccountInterface::class);
$validator = new StateTransitionValidation($moderation_info->reveal());
$validator->isTransitionValid($this->workflow, $state, $state, $user->reveal());
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment