Commit b225882e authored by Dries's avatar Dries

- Patch #91663 by sun, Berdir, swentel, blackdog, chx: permission of text...

- Patch #91663 by sun, Berdir, swentel, blackdog, chx: permission of text format is not checked when editing an entity and instead reset to something a user can use.
parent 8c4d6ab0
......@@ -438,7 +438,6 @@ function block_custom_block_form($edit = array()) {
'#description' => t('The content of the block as shown to the user.'),
'#required' => TRUE,
'#weight' => -17,
'#access' => filter_access(filter_format_load($edit['format'])),
);
return $form;
......
......@@ -131,7 +131,7 @@ class BlockTestCase extends DrupalWebTestCase {
$block_admin = $this->drupalCreateUser(array('administer blocks'));
$this->drupalLogin($block_admin);
$this->drupalGet('admin/structure/block/manage/block/' . $bid . '/configure');
$this->assertNoText(t('Block body'));
$this->assertFieldByXPath("//textarea[@name='body[value]' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Body field contains denied message'));
$this->drupalPost('admin/structure/block/manage/block/' . $bid . '/configure', array(), t('Save block'));
$this->assertNoText(t('Ensure that each block description is unique.'));
......
......@@ -849,6 +849,38 @@ function filter_process_format($element) {
'#weight' => 0,
);
// Lastly, disallow editing of this field if the user is not allowed to use
// the stored and preselected text format. But only, if that format actually
// exists.
$all_formats = filter_formats();
if (!isset($formats[$element['#format']]) && isset($all_formats[$element['#format']])) {
// Overload default values into #value to make them unalterable.
$element['value']['#value'] = $element['value']['#default_value'];
$element['format']['format']['#value'] = $element['format']['format']['#default_value'];
// Prepend #pre_render callback to replace field value with user notice
// prior to rendering.
if (!isset($element['value']['#pre_render'])) {
$element['value']['#pre_render'] = array();
}
array_unshift($element['value']['#pre_render'], 'filter_form_access_denied');
// Cosmetic adjustments.
if (isset($element['value']['#rows'])) {
$element['value']['#rows'] = 3;
}
$element['value']['#disabled'] = TRUE;
$element['value']['#resizable'] = FALSE;
// Hide the text format selector and any other child element (such as text
// field's summary).
foreach (element_children($element) as $key) {
if ($key != 'value') {
$element[$key]['#access'] = FALSE;
}
}
}
return $element;
}
......@@ -884,6 +916,22 @@ function filter_form_after_build($element, &$form_state) {
return $element;
}
/**
* #pre_render callback for #type 'text_format' to hide field value from prying eyes.
*
* To not break form processing and previews if a user does not have access to a
* stored text format, the expanded form elements in filter_process_format() are
* forced to take over the stored #default_values for 'value' and 'format'.
* However, to prevent the unfiltered, original #value from being displayed to
* the user, we replace it with a friendly notice here.
*
* @see filter_process_format()
*/
function filter_form_access_denied($element) {
$element['#value'] = t('This field has been disabled because you do not have sufficient permissions to edit it.');
return $element;
}
/**
* Render a text format-enabled form element.
*
......
......@@ -395,7 +395,7 @@ class FilterAdminTestCase extends DrupalWebTestCase {
}
}
class FilterAccessTestCase extends DrupalWebTestCase {
class FilterFormatAccessTestCase extends DrupalWebTestCase {
protected $admin_user;
protected $web_user;
protected $allowed_format;
......@@ -403,8 +403,8 @@ class FilterAccessTestCase extends DrupalWebTestCase {
public static function getInfo() {
return array(
'name' => 'Filter access functionality',
'description' => 'Test the filter access system.',
'name' => 'Filter format access',
'description' => 'Tests access to text formats.',
'group' => 'Filter',
);
}
......@@ -412,8 +412,15 @@ class FilterAccessTestCase extends DrupalWebTestCase {
function setUp() {
parent::setUp();
$this->full_html_format = db_query_range('SELECT * FROM {filter_format} WHERE name = :name', 0, 1, array(':name' => 'Full HTML'))->fetchObject();
// Create two text formats and grant a regular user access to one of them.
$this->admin_user = $this->drupalCreateUser(array('administer filters'));
$this->admin_user = $this->drupalCreateUser(array(
'administer filters',
'create page content',
'edit any page content',
filter_permission_name($this->full_html_format),
));
$this->drupalLogin($this->admin_user);
$formats = array();
for ($i = 0; $i < 2; $i++) {
......@@ -424,7 +431,11 @@ class FilterAccessTestCase extends DrupalWebTestCase {
$formats[] = filter_format_load($format_id);
}
list($this->allowed_format, $this->disallowed_format) = $formats;
$this->web_user = $this->drupalCreateUser(array('create page content', filter_permission_name($this->allowed_format)));
$this->web_user = $this->drupalCreateUser(array(
'create page content',
filter_permission_name($this->allowed_format),
));
}
function testFormatPermissions() {
......@@ -474,6 +485,61 @@ class FilterAccessTestCase extends DrupalWebTestCase {
$this->assertTrue(in_array(filter_fallback_format(), array_keys(filter_get_formats_by_role($rid))), t('The fallback format appears in the list of allowed formats for any role.'));
}
/**
* Test editing a page using a disallowed text format.
*
* Verifies that a regular user is able to edit a page, but is not allowed to
* change the fields which use an inaccessible text format.
*/
function testFormatWidgetPermissions() {
$langcode = LANGUAGE_NONE;
$title_key = "title";
$body_value_key = "body[$langcode][0][value]";
$body_format_key = "body[$langcode][0][format]";
// Create node to edit.
$this->drupalLogin($this->admin_user);
$edit = array();
$edit['title'] = $this->randomName(8);
$edit[$body_value_key] = $this->randomName(16);
$edit[$body_format_key] = $this->full_html_format->format;
$this->drupalPost('node/add/page', $edit, t('Save'));
$node = $this->drupalGetNodeByTitle($edit['title']);
// Try to edit with a less privileged user.
$this->moderator = $this->drupalCreateUser(array(
'edit any page content',
'create page content',
));
$this->drupalLogin($this->moderator);
$this->drupalGet('node/' . $node->nid);
$this->clickLink(t('Edit'));
// Verify that body field is read-only and contains replacement value.
$this->assertFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Text format access denied message found.'));
// Verify that title can be changed, but preview displays original body.
$new_edit = array();
$new_edit['title'] = $this->randomName(8);
$this->drupalPost(NULL, $new_edit, t('Preview'));
$this->assertText($edit[$body_value_key], t('Old body found in preview.'));
// Save and verify that only the title was changed.
$this->drupalPost(NULL, $new_edit, t('Save'));
$this->assertNoText($edit['title'], t('Old title not found.'));
$this->assertText($new_edit['title'], t('New title found.'));
$this->assertText($edit[$body_value_key], t('Old body found.'));
// Delete the Full HTML text format.
filter_format_delete($this->full_html_format);
$this->resetFilterCaches();
// Verify that body field can be edited and a new format can be selected.
$this->drupalGet('node/' . $node->nid . '/edit');
$this->assertNoFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", NULL, t('Text format access denied message not found.'));
$this->assertFieldByXPath("//select[@name='$body_format_key']", NULL, t('Text format selector found.'));
}
/**
* Returns the expected HTML for a particular text format selector.
*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment