Commit 9f9d61a5 authored by xjm's avatar xjm

SA-CORE-2019-008 by dwbotsch, xjm, mlhess, cilefen, greggles, drumm, alexpott, amateescu

parent dbde118e
......@@ -124,10 +124,8 @@ protected function bypassAccessResult(AccountInterface $account) {
// to ALL THE THINGS! That's why this is a dangerous permission.
$active_workspace = $this->workspaceManager->getActiveWorkspace();
$owner_has_access = AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())
->cachePerUser()->addCacheableDependency($active_workspace);
$access_bypass = AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace');
return $owner_has_access->orIf($access_bypass);
return AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace)
->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace'));
}
}
......@@ -55,10 +55,10 @@ public function testBypassOwnWorkspace() {
$this->drupalLogin($lombardi);
$this->switchToWorkspace($bears);
// Editor 2 should be able to create and edit any node because of the
// assigned bypass permission.
// Editor 2 has the bypass permission but does not own the workspace and so,
// should not be able to create and edit any node.
$this->drupalGet('/node/' . $ditka_bears_node_id . '/edit');
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->statusCodeEquals(403);
}
}
<?php
/**
* @file
* Post update functions for the Workspaces module.
*/
/**
* Clear caches due to access changes.
*/
function workspaces_post_update_access_clear_caches() {
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment