Issue #3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation
Alex Pott
parent
030a9cefc2
commit
73d9d9b770
|
|
@ -123,7 +123,7 @@ class ModerationStateConstraintValidator extends ConstraintValidator implements
|
||||||
else {
|
else {
|
||||||
// If we're sure the transition exists, make sure the user has permission
|
// If we're sure the transition exists, make sure the user has permission
|
||||||
// to use it.
|
// to use it.
|
||||||
if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser)) {
|
if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser, $entity)) {
|
||||||
$this->context->addViolation($constraint->invalidTransitionAccess, [
|
$this->context->addViolation($constraint->invalidTransitionAccess, [
|
||||||
'%original_state' => $original_state->label(),
|
'%original_state' => $original_state->label(),
|
||||||
'%new_state' => $new_state->label(),
|
'%new_state' => $new_state->label(),
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,10 @@ class StateTransitionValidation implements StateTransitionValidationInterface {
|
||||||
/**
|
/**
|
||||||
* {@inheritdoc}
|
* {@inheritdoc}
|
||||||
*/
|
*/
|
||||||
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user) {
|
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL) {
|
||||||
|
if ($entity === NULL) {
|
||||||
|
@trigger_error(sprintf('Omitting the $entity parameter from %s is deprecated and will be required in Drupal 9.0.0.', __METHOD__), E_USER_DEPRECATED);
|
||||||
|
}
|
||||||
$transition = $workflow->getTypePlugin()->getTransitionFromStateToState($original_state->id(), $new_state->id());
|
$transition = $workflow->getTypePlugin()->getTransitionFromStateToState($original_state->id(), $new_state->id());
|
||||||
return $user->hasPermission('use ' . $workflow->id() . ' transition ' . $transition->id());
|
return $user->hasPermission('use ' . $workflow->id() . ' transition ' . $transition->id());
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -36,10 +36,13 @@ interface StateTransitionValidationInterface {
|
||||||
* The new workflow state.
|
* The new workflow state.
|
||||||
* @param \Drupal\Core\Session\AccountInterface $user
|
* @param \Drupal\Core\Session\AccountInterface $user
|
||||||
* The user to validate.
|
* The user to validate.
|
||||||
|
* @param \Drupal\Core\Entity\ContentEntityInterface $entity
|
||||||
|
* (optional) The entity to be transitioned. Omitting this parameter is
|
||||||
|
* deprecated and will be required in Drupal 9.0.0.
|
||||||
*
|
*
|
||||||
* @return bool
|
* @return bool
|
||||||
* Returns TRUE if transition is valid, otherwise FALSE.
|
* Returns TRUE if transition is valid, otherwise FALSE.
|
||||||
*/
|
*/
|
||||||
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user);
|
public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ use Drupal\content_moderation\StateTransitionValidation;
|
||||||
use Drupal\Tests\UnitTestCase;
|
use Drupal\Tests\UnitTestCase;
|
||||||
use Drupal\workflow_type_test\Plugin\WorkflowType\TestType;
|
use Drupal\workflow_type_test\Plugin\WorkflowType\TestType;
|
||||||
use Drupal\workflows\Entity\Workflow;
|
use Drupal\workflows\Entity\Workflow;
|
||||||
|
use Drupal\workflows\State;
|
||||||
use Drupal\workflows\WorkflowTypeManager;
|
use Drupal\workflows\WorkflowTypeManager;
|
||||||
use Prophecy\Argument;
|
use Prophecy\Argument;
|
||||||
|
|
||||||
|
|
@ -19,6 +20,38 @@ use Prophecy\Argument;
|
||||||
*/
|
*/
|
||||||
class StateTransitionValidationTest extends UnitTestCase {
|
class StateTransitionValidationTest extends UnitTestCase {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A test workflow.
|
||||||
|
*
|
||||||
|
* @var \Drupal\workflows\WorkflowInterface
|
||||||
|
*/
|
||||||
|
protected $workflow;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* {@inheritdoc}
|
||||||
|
*/
|
||||||
|
protected function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
// Create a container so that the plugin manager and workflow type can be
|
||||||
|
// mocked.
|
||||||
|
$container = new ContainerBuilder();
|
||||||
|
$workflow_manager = $this->prophesize(WorkflowTypeManager::class);
|
||||||
|
$workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
|
||||||
|
$container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
|
||||||
|
\Drupal::setContainer($container);
|
||||||
|
|
||||||
|
$this->workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
|
||||||
|
$this->workflow
|
||||||
|
->getTypePlugin()
|
||||||
|
->addState('draft', 'draft')
|
||||||
|
->addState('needs_review', 'needs_review')
|
||||||
|
->addState('published', 'published')
|
||||||
|
->addTransition('draft', 'draft', ['draft'], 'draft')
|
||||||
|
->addTransition('review', 'review', ['draft'], 'needs_review')
|
||||||
|
->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies user-aware transition validation.
|
* Verifies user-aware transition validation.
|
||||||
*
|
*
|
||||||
|
|
@ -47,7 +80,10 @@ class StateTransitionValidationTest extends UnitTestCase {
|
||||||
$entity->moderation_state = new \stdClass();
|
$entity->moderation_state = new \stdClass();
|
||||||
$entity->moderation_state->value = $from_id;
|
$entity->moderation_state->value = $from_id;
|
||||||
|
|
||||||
$validator = new StateTransitionValidation($this->setUpModerationInformation($entity));
|
$moderation_info = $this->prophesize(ModerationInformationInterface::class);
|
||||||
|
$moderation_info->getWorkflowForEntity($entity)->willReturn($this->workflow);
|
||||||
|
|
||||||
|
$validator = new StateTransitionValidation($moderation_info->reveal());
|
||||||
$has_transition = FALSE;
|
$has_transition = FALSE;
|
||||||
foreach ($validator->getValidTransitions($entity, $user->reveal()) as $transition) {
|
foreach ($validator->getValidTransitions($entity, $user->reveal()) as $transition) {
|
||||||
if ($transition->to()->id() === $to_id) {
|
if ($transition->to()->id() === $to_id) {
|
||||||
|
|
@ -58,27 +94,17 @@ class StateTransitionValidationTest extends UnitTestCase {
|
||||||
$this->assertSame($result, $has_transition);
|
$this->assertSame($result, $has_transition);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function setUpModerationInformation(ContentEntityInterface $entity) {
|
/**
|
||||||
// Create a container so that the plugin manager and workflow type can be
|
* @expectedDeprecation Omitting the $entity parameter from Drupal\content_moderation\StateTransitionValidation::isTransitionValid is deprecated and will be required in Drupal 9.0.0.
|
||||||
// mocked.
|
* @group legacy
|
||||||
$container = new ContainerBuilder();
|
*/
|
||||||
$workflow_manager = $this->prophesize(WorkflowTypeManager::class);
|
public function testDeprecatedEntityParameter() {
|
||||||
$workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
|
|
||||||
$container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
|
|
||||||
\Drupal::setContainer($container);
|
|
||||||
|
|
||||||
$workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
|
|
||||||
$workflow
|
|
||||||
->getTypePlugin()
|
|
||||||
->addState('draft', 'draft')
|
|
||||||
->addState('needs_review', 'needs_review')
|
|
||||||
->addState('published', 'published')
|
|
||||||
->addTransition('draft', 'draft', ['draft'], 'draft')
|
|
||||||
->addTransition('review', 'review', ['draft'], 'needs_review')
|
|
||||||
->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
|
|
||||||
$moderation_info = $this->prophesize(ModerationInformationInterface::class);
|
$moderation_info = $this->prophesize(ModerationInformationInterface::class);
|
||||||
$moderation_info->getWorkflowForEntity($entity)->willReturn($workflow);
|
$state = new State($this->workflow->getTypePlugin(), 'draft', 'draft');
|
||||||
return $moderation_info->reveal();
|
$user = $this->prophesize(AccountInterface::class);
|
||||||
|
|
||||||
|
$validator = new StateTransitionValidation($moderation_info->reveal());
|
||||||
|
$validator->isTransitionValid($this->workflow, $state, $state, $user->reveal());
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue