Issue #2744381 by Berdir, Wim Leers, mohit_aghera, mstrelan, lahoosascoots, xjm, dawehner, effulgentsia, larowlan, cilefen: NodeAddAccessCheck allows roles holding the "Administer content types" permission to create nodes
catch
parent
b986c49eb2
commit
33c4319f80
|
|
@ -97,6 +97,7 @@ abstract class DateTestBase extends BrowserTestBase {
|
|||
'administer entity_test content',
|
||||
'administer entity_test form display',
|
||||
'administer content types',
|
||||
'bypass node access',
|
||||
'administer node fields',
|
||||
]);
|
||||
$this->drupalLogin($web_user);
|
||||
|
|
|
|||
|
|
@ -85,6 +85,7 @@ class ManageFieldsFunctionalTest extends BrowserTestBase {
|
|||
$admin_user = $this->drupalCreateUser([
|
||||
'access content',
|
||||
'administer content types',
|
||||
'bypass node access',
|
||||
'administer node fields',
|
||||
'administer node form display',
|
||||
'administer node display',
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ node.add_page:
|
|||
options:
|
||||
_node_operation_route: TRUE
|
||||
requirements:
|
||||
_node_add_access: 'node'
|
||||
_entity_create_any_access: 'node'
|
||||
|
||||
node.add:
|
||||
path: '/node/add/{node_type}'
|
||||
|
|
@ -30,7 +30,7 @@ node.add:
|
|||
_entity_form: 'node.default'
|
||||
_title_callback: '\Drupal\node\Controller\NodeController::addPageTitle'
|
||||
requirements:
|
||||
_node_add_access: 'node:{node_type}'
|
||||
_entity_create_access: 'node:{node_type}'
|
||||
options:
|
||||
_node_operation_route: TRUE
|
||||
parameters:
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ services:
|
|||
access_check.node.add:
|
||||
class: Drupal\node\Access\NodeAddAccessCheck
|
||||
arguments: ['@entity_type.manager']
|
||||
deprecated: The "%service_id%" service is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use _entity_create_access or _entity_create_any_access access checks instead. See https://www.drupal.org/node/2836069
|
||||
tags:
|
||||
- { name: access_check, applies_to: _node_add_access }
|
||||
access_check.node.preview:
|
||||
|
|
|
|||
|
|
@ -12,6 +12,11 @@ use Drupal\node\NodeTypeInterface;
|
|||
* Determines access to for node add pages.
|
||||
*
|
||||
* @ingroup node_access
|
||||
*
|
||||
* @deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use
|
||||
* _entity_create_access or _entity_create_any_access access checks instead.
|
||||
*
|
||||
* @see https://www.drupal.org/node/2836069
|
||||
*/
|
||||
class NodeAddAccessCheck implements AccessInterface {
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ class NodeAccessMenuLinkTest extends NodeTestBase {
|
|||
$this->contentAdminUser = $this->drupalCreateUser([
|
||||
'access content',
|
||||
'administer content types',
|
||||
'bypass node access',
|
||||
'administer menu',
|
||||
]);
|
||||
|
||||
|
|
|
|||
|
|
@ -108,6 +108,13 @@ class NodeCreationTest extends NodeTestBase {
|
|||
$this->drupalLogin($admin_user);
|
||||
$this->drupalGet('node/add/page');
|
||||
$this->assertSession()->fieldNotExists('edit-revision', NULL);
|
||||
|
||||
// Check that a user with administer content types permission is not
|
||||
// allowed to create content.
|
||||
$content_types_admin = $this->drupalCreateUser(['administer content types']);
|
||||
$this->drupalLogin($content_types_admin);
|
||||
$this->drupalGet('node/add/page');
|
||||
$this->assertSession()->statusCodeEquals(403);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ class NodeTypeTranslationTest extends BrowserTestBase {
|
|||
|
||||
$admin_permissions = [
|
||||
'administer content types',
|
||||
'bypass node access',
|
||||
'administer node fields',
|
||||
'administer languages',
|
||||
'administer site configuration',
|
||||
|
|
|
|||
|
|
@ -109,6 +109,7 @@ class PageCacheTagsIntegrationTest extends BrowserTestBase {
|
|||
'node:' . $node_1->id(),
|
||||
'user:' . $author_1->id(),
|
||||
'config:filter.format.basic_html',
|
||||
'config:node_type_list',
|
||||
'config:color.theme.bartik',
|
||||
'config:system.menu.account',
|
||||
'config:system.menu.tools',
|
||||
|
|
@ -150,6 +151,7 @@ class PageCacheTagsIntegrationTest extends BrowserTestBase {
|
|||
'user:' . $author_2->id(),
|
||||
'config:color.theme.bartik',
|
||||
'config:filter.format.full_html',
|
||||
'config:node_type_list',
|
||||
'config:system.menu.account',
|
||||
'config:system.menu.tools',
|
||||
'config:system.menu.footer',
|
||||
|
|
|
|||
Loading…
Reference in New Issue