Commit bf66bcd5 authored by klausi's avatar klausi

Patch by Devin Carlson: Enforce node access checks on comment access callback.

parent 3fcfc622
......@@ -535,6 +535,57 @@ class EntityAPIRulesIntegrationTestCase extends EntityWebTestCase {
}
}
/**
* Tests comments with node access.
*/
class EntityAPICommentNodeAccessTestCase extends CommentHelperCase {
public static function getInfo() {
return array(
'name' => 'Entity API comment node access',
'description' => 'Test viewing comments on nodes with node access.',
'group' => 'Entity API',
);
}
function setUp() {
DrupalWebTestCase::setUp('comment', 'entity', 'node_access_test');
node_access_rebuild();
// Create test node and user with simple node access permission. The
// 'node test view' permission is implemented and granted by the
// node_access_test module.
$this->accessUser = $this->drupalCreateUser(array('access comments', 'post comments', 'edit own comments', 'node test view'));
$this->noAccessUser = $this->drupalCreateUser(array('administer comments'));
$this->node = $this->drupalCreateNode(array('type' => 'article', 'uid' => $this->accessUser->uid));
}
/**
* Tests comment access when node access is enabled.
*/
function testCommentNodeAccess() {
// Post comment.
$this->drupalLogin($this->accessUser);
$comment_text = $this->randomName();
$comment = $this->postComment($this->node, $comment_text);
$comment_loaded = comment_load($comment->id);
$this->assertTrue($this->commentExists($comment), 'Comment found.');
$this->drupalLogout();
// Check access to node and associated comment for access user.
$this->assertTrue(entity_access('view', 'node', $this->node, $this->accessUser), 'Access to view node was granted for access user');
$this->assertTrue(entity_access('view', 'comment', $comment_loaded, $this->accessUser), 'Access to view comment was granted for access user');
$this->assertTrue(entity_access('update', 'comment', $comment_loaded, $this->accessUser), 'Access to update comment was granted for access user');
$this->assertFalse(entity_access('delete', 'comment', $comment_loaded, $this->accessUser), 'Access to delete comment was denied for access user');
// Check access to node and associated comment for no access user.
$this->assertFalse(entity_access('view', 'node', $this->node, $this->noAccessUser), 'Access to view node was denied for no access user');
$this->assertFalse(entity_access('view', 'comment', $comment_loaded, $this->noAccessUser), 'Access to view comment was denied for no access user');
$this->assertFalse(entity_access('update', 'comment', $comment_loaded, $this->noAccessUser), 'Access to update comment was denied for no access user');
$this->assertFalse(entity_access('delete', 'comment', $comment_loaded, $this->noAccessUser), 'Access to delete comment was denied for no access user');
}
}
/**
* Test the i18n integration.
*/
......
......@@ -681,8 +681,24 @@ function entity_metadata_user_properties_access($op, $property, $entity = NULL,
* Access callback for the comment entity.
*/
function entity_metadata_comment_access($op, $entity = NULL, $account = NULL) {
if (isset($entity) && !isset($account) && comment_access($op, $entity)) {
return TRUE;
// When determining access to a comment, 'comment_access' does not take any
// access restrictions to the comment's associated node into account. If a
// comment has an associated node, the user must be able to view it in order
// to access the comment.
if (isset($entity->nid)) {
if (!entity_access('view', 'node', node_load($entity->nid), $account)) {
return FALSE;
}
}
if (isset($entity) && $op == 'update') {
// Because 'comment_access' only checks the current user, we need to do our
// own access checking if an account was specified.
if (!isset($account)) {
return comment_access('edit', $entity);
}
else {
return ($account->uid && $account->uid == $entity->uid && $entity->status == COMMENT_PUBLISHED && user_access('edit own comments', $account)) || user_access('administer comments', $account);
}
}
if (user_access('administer comments', $account) || user_access('access comments', $account) && $op == 'view') {
return TRUE;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment