Issue #2744381 by Berdir, Wim Leers, mohit_aghera, mstrelan, lahoosascoots, xjm, dawehner, effulgentsia, larowlan, cilefen: NodeAddAccessCheck allows roles holding the "Administer content types" permission to create nodes
catch
parent
b986c49eb2
commit
33c4319f80
|
|
@ -97,6 +97,7 @@ abstract class DateTestBase extends BrowserTestBase {
|
||||||
'administer entity_test content',
|
'administer entity_test content',
|
||||||
'administer entity_test form display',
|
'administer entity_test form display',
|
||||||
'administer content types',
|
'administer content types',
|
||||||
|
'bypass node access',
|
||||||
'administer node fields',
|
'administer node fields',
|
||||||
]);
|
]);
|
||||||
$this->drupalLogin($web_user);
|
$this->drupalLogin($web_user);
|
||||||
|
|
|
||||||
|
|
@ -85,6 +85,7 @@ class ManageFieldsFunctionalTest extends BrowserTestBase {
|
||||||
$admin_user = $this->drupalCreateUser([
|
$admin_user = $this->drupalCreateUser([
|
||||||
'access content',
|
'access content',
|
||||||
'administer content types',
|
'administer content types',
|
||||||
|
'bypass node access',
|
||||||
'administer node fields',
|
'administer node fields',
|
||||||
'administer node form display',
|
'administer node form display',
|
||||||
'administer node display',
|
'administer node display',
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@ node.add_page:
|
||||||
options:
|
options:
|
||||||
_node_operation_route: TRUE
|
_node_operation_route: TRUE
|
||||||
requirements:
|
requirements:
|
||||||
_node_add_access: 'node'
|
_entity_create_any_access: 'node'
|
||||||
|
|
||||||
node.add:
|
node.add:
|
||||||
path: '/node/add/{node_type}'
|
path: '/node/add/{node_type}'
|
||||||
|
|
@ -30,7 +30,7 @@ node.add:
|
||||||
_entity_form: 'node.default'
|
_entity_form: 'node.default'
|
||||||
_title_callback: '\Drupal\node\Controller\NodeController::addPageTitle'
|
_title_callback: '\Drupal\node\Controller\NodeController::addPageTitle'
|
||||||
requirements:
|
requirements:
|
||||||
_node_add_access: 'node:{node_type}'
|
_entity_create_access: 'node:{node_type}'
|
||||||
options:
|
options:
|
||||||
_node_operation_route: TRUE
|
_node_operation_route: TRUE
|
||||||
parameters:
|
parameters:
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ services:
|
||||||
access_check.node.add:
|
access_check.node.add:
|
||||||
class: Drupal\node\Access\NodeAddAccessCheck
|
class: Drupal\node\Access\NodeAddAccessCheck
|
||||||
arguments: ['@entity_type.manager']
|
arguments: ['@entity_type.manager']
|
||||||
|
deprecated: The "%service_id%" service is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use _entity_create_access or _entity_create_any_access access checks instead. See https://www.drupal.org/node/2836069
|
||||||
tags:
|
tags:
|
||||||
- { name: access_check, applies_to: _node_add_access }
|
- { name: access_check, applies_to: _node_add_access }
|
||||||
access_check.node.preview:
|
access_check.node.preview:
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,11 @@ use Drupal\node\NodeTypeInterface;
|
||||||
* Determines access to for node add pages.
|
* Determines access to for node add pages.
|
||||||
*
|
*
|
||||||
* @ingroup node_access
|
* @ingroup node_access
|
||||||
|
*
|
||||||
|
* @deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use
|
||||||
|
* _entity_create_access or _entity_create_any_access access checks instead.
|
||||||
|
*
|
||||||
|
* @see https://www.drupal.org/node/2836069
|
||||||
*/
|
*/
|
||||||
class NodeAddAccessCheck implements AccessInterface {
|
class NodeAddAccessCheck implements AccessInterface {
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,7 @@ class NodeAccessMenuLinkTest extends NodeTestBase {
|
||||||
$this->contentAdminUser = $this->drupalCreateUser([
|
$this->contentAdminUser = $this->drupalCreateUser([
|
||||||
'access content',
|
'access content',
|
||||||
'administer content types',
|
'administer content types',
|
||||||
|
'bypass node access',
|
||||||
'administer menu',
|
'administer menu',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -108,6 +108,13 @@ class NodeCreationTest extends NodeTestBase {
|
||||||
$this->drupalLogin($admin_user);
|
$this->drupalLogin($admin_user);
|
||||||
$this->drupalGet('node/add/page');
|
$this->drupalGet('node/add/page');
|
||||||
$this->assertSession()->fieldNotExists('edit-revision', NULL);
|
$this->assertSession()->fieldNotExists('edit-revision', NULL);
|
||||||
|
|
||||||
|
// Check that a user with administer content types permission is not
|
||||||
|
// allowed to create content.
|
||||||
|
$content_types_admin = $this->drupalCreateUser(['administer content types']);
|
||||||
|
$this->drupalLogin($content_types_admin);
|
||||||
|
$this->drupalGet('node/add/page');
|
||||||
|
$this->assertSession()->statusCodeEquals(403);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,7 @@ class NodeTypeTranslationTest extends BrowserTestBase {
|
||||||
|
|
||||||
$admin_permissions = [
|
$admin_permissions = [
|
||||||
'administer content types',
|
'administer content types',
|
||||||
|
'bypass node access',
|
||||||
'administer node fields',
|
'administer node fields',
|
||||||
'administer languages',
|
'administer languages',
|
||||||
'administer site configuration',
|
'administer site configuration',
|
||||||
|
|
|
||||||
|
|
@ -109,6 +109,7 @@ class PageCacheTagsIntegrationTest extends BrowserTestBase {
|
||||||
'node:' . $node_1->id(),
|
'node:' . $node_1->id(),
|
||||||
'user:' . $author_1->id(),
|
'user:' . $author_1->id(),
|
||||||
'config:filter.format.basic_html',
|
'config:filter.format.basic_html',
|
||||||
|
'config:node_type_list',
|
||||||
'config:color.theme.bartik',
|
'config:color.theme.bartik',
|
||||||
'config:system.menu.account',
|
'config:system.menu.account',
|
||||||
'config:system.menu.tools',
|
'config:system.menu.tools',
|
||||||
|
|
@ -150,6 +151,7 @@ class PageCacheTagsIntegrationTest extends BrowserTestBase {
|
||||||
'user:' . $author_2->id(),
|
'user:' . $author_2->id(),
|
||||||
'config:color.theme.bartik',
|
'config:color.theme.bartik',
|
||||||
'config:filter.format.full_html',
|
'config:filter.format.full_html',
|
||||||
|
'config:node_type_list',
|
||||||
'config:system.menu.account',
|
'config:system.menu.account',
|
||||||
'config:system.menu.tools',
|
'config:system.menu.tools',
|
||||||
'config:system.menu.footer',
|
'config:system.menu.footer',
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue