Commit 75d6aa33 authored by xjm's avatar xjm

SA-CORE-2016-004 by alexpott, andypost, antongp, cashwilliams, catch, Chi,...

SA-CORE-2016-004 by alexpott, andypost, antongp, cashwilliams, catch, Chi, dawehner, dsnopek, Heine, kierheyl, Pere Orga, pwolanin, larowlan, q2u, stefan.r, xjm
parent 1ffb177e
......@@ -188,13 +188,16 @@ public function onException(GetResponseForExceptionEvent $event) {
if (!method_exists($this, $method)) {
if ($exception instanceof HttpExceptionInterface) {
$this->onFormatUnknown($event);
$response = $event->getResponse();
$response->headers->set('Content-Type', 'text/plain');
}
else {
$this->onHtml($event);
}
return;
}
$this->$method($event);
else {
$this->$method($event);
}
}
/**
......
......@@ -2,7 +2,9 @@
namespace Drupal\comment;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Field\FieldItemList;
use Drupal\Core\Session\AccountInterface;
/**
* Defines a item list class for comment fields.
......@@ -37,4 +39,28 @@ public function offsetExists($offset) {
return parent::offsetExists($offset);
}
/**
* {@inheritdoc}
*/
public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE) {
if ($operation === 'edit') {
// Only users with administer comments permission can edit the comment
// status field.
$result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'administer comments');
return $return_as_object ? $result : $result->isAllowed();
}
if ($operation === 'view') {
// Only users with either post comments or access comments permisison can
// view the field value. The formatter,
// Drupal\comment\Plugin\Field\FieldFormatter\CommentDefaultFormatter,
// takes care of showing the thread and form based on individual
// permissions, so if a user only has ‘post comments’ access, only the
// form will be shown and not the comments.
$result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'access comments')
->orIf(AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'post comments'));
return $return_as_object ? $result : $result->isAllowed();
}
return parent::access($operation, $account, $return_as_object);
}
}
......@@ -384,6 +384,7 @@ function testCommentFunctionality() {
'administer entity_test fields',
'view test entity',
'administer entity_test content',
'administer comments',
));
$this->drupalLogin($limited_user);
$this->drupalGet('entity_test/structure/entity_test/fields/entity_test.entity_test.comment');
......
<?php
namespace Drupal\Tests\comment\Functional;
use Drupal\comment\Tests\CommentTestTrait;
use Drupal\node\Entity\NodeType;
use Drupal\Tests\BrowserTestBase;
/**
* Tests comment status field access.
*
* @group comment
*/
class CommentStatusFieldAccessTest extends BrowserTestBase {
use CommentTestTrait;
/**
* {@inheritdoc}
*/
public $profile = 'testing';
/**
* Comment admin.
*
* @var \Drupal\user\UserInterface
*/
protected $commentAdmin;
/**
* Node author.
*
* @var \Drupal\user\UserInterface
*/
protected $nodeAuthor;
/**
* {@inheritdoc}
*/
public static $modules = [
'node',
'comment',
'user',
'system',
'text',
];
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$node_type = NodeType::create([
'type' => 'article',
'name' => t('Article'),
]);
$node_type->save();
$this->nodeAuthor = $this->drupalCreateUser([
'create article content',
'skip comment approval',
'post comments',
'edit own comments',
'access comments',
'administer nodes',
]);
$this->commentAdmin = $this->drupalCreateUser([
'administer comments',
'create article content',
'edit own comments',
'skip comment approval',
'post comments',
'access comments',
'administer nodes',
]);
$this->addDefaultCommentField('node', 'article');
}
/**
* Tests comment status field access.
*/
public function testCommentStatusFieldAccessStatus() {
$this->drupalLogin($this->nodeAuthor);
$this->drupalGet('node/add/article');
$assert = $this->assertSession();
$assert->fieldNotExists('comment[0][status]');
$this->submitForm([
'title[0][value]' => 'Node 1',
], t('Save and publish'));
$assert->fieldExists('subject[0][value]');
$this->drupalLogin($this->commentAdmin);
$this->drupalGet('node/add/article');
$assert->fieldExists('comment[0][status]');
$this->submitForm([
'title[0][value]' => 'Node 2',
], t('Save and publish'));
$assert->fieldExists('subject[0][value]');
}
}
......@@ -65,14 +65,17 @@ function config_file_download($uri) {
$scheme = file_uri_scheme($uri);
$target = file_uri_target($uri);
if ($scheme == 'temporary' && $target == 'config.tar.gz') {
$request = \Drupal::request();
$date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME'));
$date_string = $date->format('Y-m-d-H-i');
$hostname = str_replace('.', '-', $request->getHttpHost());
$filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz';
$disposition = 'attachment; filename="' . $filename . '"';
return array(
'Content-disposition' => $disposition,
);
if (\Drupal::currentUser()->hasPermission('export configuration')) {
$request = \Drupal::request();
$date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME'));
$date_string = $date->format('Y-m-d-H-i');
$hostname = str_replace('.', '-', $request->getHttpHost());
$filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz';
$disposition = 'attachment; filename="' . $filename . '"';
return array(
'Content-disposition' => $disposition,
);
}
return -1;
}
}
......@@ -88,6 +88,12 @@ function testExport() {
// Check the single export form doesn't have "form-required" elements.
$this->drupalGet('admin/config/development/configuration/single/export');
$this->assertNoRaw('js-form-required form-required', 'No form required fields are found.');
// Ensure the temporary file is not available to users without the
// permission.
$this->drupalLogout();
$this->drupalGet('system/temporary', ['query' => ['file' => 'config.tar.gz']]);
$this->assertResponse(403);
}
}
......@@ -185,6 +185,17 @@ public function testExceptionEscaping() {
$this->setRawContent($response->getContent());
$this->assertRaw(Html::escape('Escaped content: <p> <br> <h3>'));
$this->assertNoRaw('<p> <br> <h3>');
$string = '<script>alert(123);</script>';
$request = Request::create('/router_test/test2?_format=json' . urlencode($string), 'GET');
$kernel = \Drupal::getContainer()->get('http_kernel');
$response = $kernel->handle($request)->prepare($request);
// As the Content-type is text/plain the fact that the raw string is
// contained in the output does not matter.
$this->assertEqual($response->headers->get('Content-type'), 'text/plain; charset=UTF-8');
$this->setRawContent($response->getContent());
$this->assertRaw($string);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment