Unverified Commit a3ce6e70 authored by alexpott's avatar alexpott

Issue #3038350 by seanB, Wim Leers, effulgentsia: Deny access to all media...

Issue #3038350 by seanB, Wim Leers, effulgentsia: Deny access to all media library View Displays if there is no valid state object
parent 16f38cff
......@@ -2,3 +2,7 @@ services:
media_library.ui_builder:
class: Drupal\media_library\MediaLibraryUiBuilder
arguments: ['@entity_type.manager', '@request_stack', '@views.executable', '@form_builder']
media_library.route_subscriber:
class: Drupal\media_library\Routing\RouteSubscriber
tags:
- { name: event_subscriber }
<?php
namespace Drupal\media_library\Routing;
use Drupal\Core\Routing\RouteSubscriberBase;
use Symfony\Component\Routing\RouteCollection;
/**
* Subscriber for media library routes.
*/
class RouteSubscriber extends RouteSubscriberBase {
/**
* {@inheritdoc}
*/
protected function alterRoutes(RouteCollection $collection) {
// Add the media library UI access checks to the widget displays of the
// media library view.
if ($route = $collection->get('view.media_library.widget')) {
$route->addRequirements(['_custom_access' => 'media_library.ui_builder:checkAccess']);
}
if ($route = $collection->get('view.media_library.widget_table')) {
$route->addRequirements(['_custom_access' => 'media_library.ui_builder:checkAccess']);
}
}
}
......@@ -292,6 +292,8 @@ public function testWidgetAccess() {
// Verify that unprivileged users can't access the widget view.
$this->drupalGet('admin/content/media-widget', $url_options);
$assert_session->responseContains('Access denied');
$this->drupalGet('admin/content/media-widget-table', $url_options);
$assert_session->responseContains('Access denied');
$this->drupalGet('media-library', $url_options);
$assert_session->responseContains('Access denied');
......@@ -302,12 +304,23 @@ public function testWidgetAccess() {
]);
$this->drupalGet('admin/content/media-widget', $url_options);
$assert_session->elementExists('css', '.view-media-library');
$this->drupalGet('admin/content/media-widget-table', $url_options);
$assert_session->elementExists('css', '.view-media-library');
$this->drupalGet('media-library', $url_options);
$assert_session->elementExists('css', '.view-media-library');
// Assert the user does not have access to the media add form if the user
// does not have the 'create media' permission.
$assert_session->fieldNotExists('files[upload][]');
// Assert users can not access the widget displays of the media library view
// without a valid media library state.
$this->drupalGet('admin/content/media-widget');
$assert_session->responseContains('Access denied');
$this->drupalGet('admin/content/media-widget-table');
$assert_session->responseContains('Access denied');
$this->drupalGet('media-library');
$assert_session->responseContains('Access denied');
// Assert users with the 'create media' permission can access the media add
// form.
$this->grantPermissions($role, [
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment