Commit ed01f40c authored by alexpott's avatar alexpott

Issue #2157541 by dawehner, penyaskito, tim.plunkett, Désiré: Views sets...

Issue #2157541 by dawehner, penyaskito, tim.plunkett, Désiré: Views sets access to ANY on routes - could result in information disclosure
parent 40a7440d
......@@ -19,10 +19,10 @@
* To define permissions you can use a $module.permissions.yml file:
*
* @code
* access all views:
* title: 'Bypass views access control'
* description: 'Bypass access control when accessing views.'
* administer permissions:
* title: Administer permissions
* restrict access: true
* description: some description
* @endcode
*/
class PermissionHandler implements PermissionHandlerInterface {
......
......@@ -73,7 +73,7 @@ public static function create(ContainerInterface $container, array $configuratio
* {@inheritdoc}
*/
public function access(AccountInterface $account) {
return $account->hasPermission($this->options['perm']) || $account->hasPermission('access all views');
return $account->hasPermission($this->options['perm']);
}
/**
......@@ -118,7 +118,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) {
'#options' => $perms,
'#title' => $this->t('Permission'),
'#default_value' => $this->options['perm'],
'#description' => $this->t('Only users with the selected permission flag will be able to access this display. Note that users with "access all views" can see any view, regardless of other permissions.'),
'#description' => $this->t('Only users with the selected permission flag will be able to access this display.'),
);
}
......
......@@ -35,7 +35,7 @@ class Role extends AccessPluginBase {
* {@inheritdoc}
*/
public function access(AccountInterface $account) {
return $account->hasPermission('access all views') || array_intersect(array_filter($this->options['role']), $account->getRoles());
return array_intersect(array_filter($this->options['role']), $account->getRoles());
}
/**
......@@ -77,7 +77,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) {
'#title' => $this->t('Role'),
'#default_value' => $this->options['role'],
'#options' => array_map('\Drupal\Component\Utility\String::checkPlain', user_role_names()),
'#description' => $this->t('Only the checked roles will be able to access this display. Note that users with "access all views" can see any view, regardless of role.'),
'#description' => $this->t('Only the checked roles will be able to access this display.'),
);
}
......
......@@ -36,7 +36,6 @@ function testAccessPerm() {
$this->assertTrue($access_plugin instanceof Permission, 'Make sure the right class got instantiated.');
$this->assertEqual($access_plugin->pluginTitle(), t('Permission'));
$this->assertTrue($view->display_handler->access($this->adminUser), 'Admin-Account should be able to access the view everytime');
$this->assertFalse($view->display_handler->access($this->webUser));
$this->assertTrue($view->display_handler->access($this->normalUser));
}
......
......@@ -46,14 +46,9 @@ function testAccessRole() {
$this->assertTrue($access_plugin instanceof Role, 'Make sure the right class got instantiated.');
// Test the access() method on the access plugin.
$this->assertTrue($executable->display_handler->access($this->adminUser), 'Admin-Account should be able to access the view everytime');
$this->assertFalse($executable->display_handler->access($this->webUser));
$this->assertTrue($executable->display_handler->access($this->normalUser));
$this->drupalLogin($this->adminUser);
$this->drupalGet('test-role');
$this->assertResponse(200);
$this->drupalLogin($this->webUser);
$this->drupalGet('test-role');
$this->assertResponse(403);
......
......@@ -12,13 +12,6 @@
*/
abstract class AccessTestBase extends UserTestBase {
/**
* Contains a user object that can access all views.
*
* @var \Drupal\user\UserInterface
*/
protected $adminUser;
/**
* Contains a user object that has no special permissions.
*
......@@ -52,7 +45,6 @@ protected function setUp() {
$this->enableViewsTestModule();
$this->adminUser = $this->drupalCreateUser(array('access all views'));
$this->webUser = $this->drupalCreateUser();
$roles = $this->webUser->getRoles();
$this->webRole = $roles[0];
......
......@@ -2251,11 +2251,6 @@ public function access(AccountInterface $account = NULL) {
$account = \Drupal::currentUser();
}
// Full override.
if ($account->hasPermission('access all views')) {
return TRUE;
}
$plugin = $this->getPlugin('access');
/** @var \Drupal\views\Plugin\views\access\AccessPluginBase $plugin */
if ($plugin) {
......
......@@ -200,9 +200,6 @@ protected function getRoute($view_id, $display_id) {
$access_plugin = Views::pluginManager('access')->createInstance('none');
}
$access_plugin->alterRouteDefinition($route);
// @todo Figure out whether _access_mode ANY is the proper one. This is
// particular important for altering routes.
$route->setOption('_access_mode', AccessManagerInterface::ACCESS_MODE_ANY);
// Set the argument map, in order to support named parameters.
$route->setOption('_view_argument_map', $argument_map);
......
......@@ -40,7 +40,6 @@ protected function setUp() {
ViewTestData::createTestViews(get_class($this), array('views_test_data'));
$this->admin_user = $this->drupalCreateUser(array('access all views'));
$this->web_user = $this->drupalCreateUser();
$roles = $this->web_user->getRoles();
$this->web_role = $roles[0];
......@@ -59,7 +58,6 @@ function testAccessNone() {
$view = Views::getView('test_access_none');
$view->setDisplay();
$this->assertTrue($view->display_handler->access($this->admin_user), 'Admin-Account should be able to access the view everytime');
$this->assertTrue($view->display_handler->access($this->web_user));
$this->assertTrue($view->display_handler->access($this->normal_user));
}
......
<?php
/**
* @file
* Contains \Drupal\views\ViewsAccessCheck.
*/
namespace Drupal\views;
use Drupal\Core\Access\AccessCheckInterface;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Session\AccountInterface;
use Symfony\Component\Routing\Route;
/**
* Defines a route access checker for the _access_all_views permission.
*
* @todo We could leverage the permission one as well?
*/
class ViewsAccessCheck implements AccessCheckInterface {
/**
* {@inheritdoc}
*/
public function applies(Route $route) {
return $route->hasDefault('view_id');
}
/**
* Checks access.
*
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(AccountInterface $account) {
return AccessResult::allowedIfHasPermission($account, 'access all views');
}
}
access all views:
title: 'Bypass views access control'
description: 'Bypass access control when accessing views.'
restrict access: true
......@@ -73,9 +73,5 @@ services:
arguments: ['@entity.manager', '@state']
tags:
- { name: 'event_subscriber' }
views.route_access_check:
class: Drupal\views\ViewsAccessCheck
tags:
- { name: 'access_check' }
views.exposed_form_cache:
class: Drupal\views\ExposedFormCache
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment