Commit 8d844745 authored by cilefen's avatar cilefen

Back to dev.

parents 8153fc67 e2fc6ffe
This diff is collapsed.
Drupal 8.2.7, 2017-03-15
------------------------
- Fixed security issues. See SA-CORE-2017-001.
Drupal 8.2.3, 2016-11-16
------------------------
- Fixed security issues. See SA-CORE-2016-005.
......
......@@ -40,7 +40,7 @@
"jcalderonzumba/gastonjs": "~1.0.2",
"jcalderonzumba/mink-phantomjs-driver": "~0.3.1",
"mikey179/vfsStream": "~1.2",
"phpunit/phpunit": "~4.8",
"phpunit/phpunit": ">=4.8.28 <5",
"symfony/css-selector": "~2.8"
},
"replace": {
......
......@@ -81,7 +81,7 @@ class Drupal {
/**
* The current system version.
*/
const VERSION = '8.2.7-dev';
const VERSION = '8.2.6';
/**
* Core API compatibility.
......
......@@ -519,8 +519,8 @@ function editor_file_download($uri) {
if ($file->isPermanent()) {
$referencing_entity_is_accessible = FALSE;
$references = empty($usage_list['editor']) ? [] : $usage_list['editor'];
foreach ($references as $entity_type => $entity_ids) {
$referencing_entities = entity_load_multiple($entity_type, $entity_ids);
foreach ($references as $entity_type => $entity_ids_usage_count) {
$referencing_entities = entity_load_multiple($entity_type, array_keys($entity_ids_usage_count));
/** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */
foreach ($referencing_entities as $referencing_entity) {
if ($referencing_entity->access('view', NULL, TRUE)->isAllowed()) {
......
......@@ -68,9 +68,18 @@ function testEditorPrivateFileReferenceFilter() {
$file->setPermanent();
$file->save();
// Create some nodes to ensure file usage count does not match the ID's
// of the nodes we are going to check.
for ($i = 0; $i < 5; $i++) {
$this->drupalCreateNode([
'type' => 'page',
'uid' => $author->id(),
]);
}
// Create a node with its body field properly pointing to the just-created
// file.
$node = $this->drupalCreateNode([
$published_node = $this->drupalCreateNode([
'type' => 'page',
'body' => [
'value' => '<img alt="alt" data-entity-type="file" data-entity-uuid="' . $file->uuid() . '" src="' . $src . '" />',
......@@ -79,19 +88,44 @@ function testEditorPrivateFileReferenceFilter() {
'uid' => $author->id(),
]);
// Create an unpublished node with its body field properly pointing to the
// just-created file.
$unpublished_node = $this->drupalCreateNode([
'type' => 'page',
'status' => NODE_NOT_PUBLISHED,
'body' => [
'value' => '<img alt="alt" data-entity-type="file" data-entity-uuid="' . $file->uuid() . '" src="' . $src . '" />',
'format' => 'private_images',
],
'uid' => $author->id(),
]);
// Do the actual test. The image should be visible for anonymous users,
// because they can view the referencing entity.
$this->drupalGet($node->toUrl());
// because they can view the published node. Even though they can't view
// the unpublished node.
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(200);
$this->drupalGet($unpublished_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(200);
// When the published node is also unpublished, the image should also
// become inaccessible to anonymous users.
$published_node->setPublished(FALSE)->save();
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
// Disallow anonymous users to view the entity, which then should also
// disallow them to view the image.
$published_node->setPublished(TRUE)->save();
Role::load(RoleInterface::ANONYMOUS_ID)
->revokePermission('access content')
->save();
$this->drupalGet($node->toUrl());
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
......
......@@ -37,6 +37,7 @@ entity.search_page.enable:
op: 'enable'
requirements:
_entity_access: 'search_page.update'
_csrf_token: 'TRUE'
entity.search_page.disable:
path: '/admin/config/search/pages/manage/{search_page}/disable'
......@@ -45,6 +46,7 @@ entity.search_page.disable:
op: 'disable'
requirements:
_entity_access: 'search_page.disable'
_csrf_token: 'TRUE'
entity.search_page.set_default:
path: '/admin/config/search/pages/manage/{search_page}/set-default'
......@@ -52,6 +54,7 @@ entity.search_page.set_default:
_controller: '\Drupal\search\Controller\SearchController::setAsDefault'
requirements:
_entity_access: 'search_page.update'
_csrf_token: 'TRUE'
entity.search_page.delete_form:
path: '/admin/config/search/pages/manage/{search_page}/delete'
......
......@@ -75,6 +75,16 @@ public function getFormId() {
public function buildForm(array $form, FormStateInterface $form_state) {
// Set up the form to submit using GET to the correct search page.
$entity_id = $this->searchPageRepository->getDefaultSearchPage();
$form = [];
// SearchPageRepository::getDefaultSearchPage() depends on search.settings.
// The dependency needs to be added before the conditional return, otherwise
// the block would get cached without the necessary cacheablity metadata in
// case there is no default search page and would not be invalidated if that
// changes.
$this->renderer->addCacheableDependency($form, $this->configFactory->get('search.settings'));
if (!$entity_id) {
$form['message'] = array(
'#markup' => $this->t('Search is currently disabled'),
......@@ -103,9 +113,6 @@ public function buildForm(array $form, FormStateInterface $form_state) {
'#name' => '',
);
// SearchPageRepository::getDefaultSearchPage() depends on search.settings.
$this->renderer->addCacheableDependency($form, $this->configFactory->get('search.settings'));
return $form;
}
......
......@@ -154,8 +154,7 @@ function testSearchModuleDisabling() {
// Test each plugin if it's enabled as the only search plugin.
foreach ($entities as $entity_id => $entity) {
// Set this as default.
$this->drupalGet("admin/config/search/pages/manage/$entity_id/set-default");
$this->setDefaultThroughUi($entity_id);
// Run a search from the correct search URL.
$info = $plugin_info[$entity_id];
......@@ -187,13 +186,16 @@ function testSearchModuleDisabling() {
$entity->disable()->save();
}
// Set the node search as default.
$this->setDefaultThroughUi('node_search');
// Test with all search plugins enabled. When you go to the search
// page or run search, all plugins should be shown.
foreach ($entities as $entity) {
$entity->enable()->save();
}
// Set the node search as default.
$this->drupalGet('admin/config/search/pages/manage/node_search/set-default');
\Drupal::service('router.builder')->rebuild();
$paths = array(
array('path' => 'search/node', 'options' => array('query' => array('keys' => 'pizza'))),
......@@ -316,6 +318,19 @@ public function testMultipleSearchPages() {
$this->verifySearchPageOperations($first_id, FALSE, FALSE, FALSE, FALSE);
}
/**
* Tests that the enable/disable/default routes are protected from CSRF.
*/
public function testRouteProtection() {
// Ensure that the enable and disable routes are protected.
$this->drupalGet('admin/config/search/pages/manage/node_search/enable');
$this->assertResponse(403);
$this->drupalGet('admin/config/search/pages/manage/node_search/disable');
$this->assertResponse(403);
$this->drupalGet('admin/config/search/pages/manage/node_search/set-default');
$this->assertResponse(403);
}
/**
* Checks that the search page operations match expectations.
*
......@@ -373,4 +388,17 @@ protected function assertDefaultSearch($expected, $message = '', $group = 'Other
$this->assertIdentical($search_page_repository->getDefaultSearchPage(), $expected, $message, $group);
}
/**
* Sets a search page as the default in the UI.
*
* @param string $entity_id
* The search page entity ID to enable.
*/
protected function setDefaultThroughUi($entity_id) {
$this->drupalGet('admin/config/search/pages');
preg_match('|href="([^"]+' . $entity_id . '/set-default[^"]+)"|', $this->getRawContent(), $matches);
$this->drupalGet($this->getAbsoluteUrl($matches[1]));
}
}
......@@ -1301,7 +1301,7 @@ protected function drupalGet($path, array $options = array(), array $headers = a
}
if ($path instanceof Url) {
$path = $path->toString();
$path = $path->setAbsolute()->toString(TRUE)->getGeneratedUrl();
}
$verbose = 'GET request to: ' . $path .
......@@ -2588,7 +2588,7 @@ protected function buildUrl($path, array $options = array()) {
$url_options = $path->getOptions();
$options = $url_options + $options;
$path->setOptions($options);
return $path->setAbsolute()->toString();
return $path->setAbsolute()->toString(TRUE)->getGeneratedUrl();
}
// The URL generator service is not necessarily available yet; e.g., in
// interactive installer tests.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment