Issue #3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation

2019-01-31 11:57:18 +00:00 · 2019-01-31 11:57:18 +00:00 · 73d9d9b770
parent 030a9cefc2
commit 73d9d9b770
4 changed files with 56 additions and 24 deletions
--- a/core/modules/content_moderation/src/Plugin/Validation/Constraint/ModerationStateConstraintValidator.php
+++ b/core/modules/content_moderation/src/Plugin/Validation/Constraint/ModerationStateConstraintValidator.php
@ -123,7 +123,7 @@ class ModerationStateConstraintValidator extends ConstraintValidator implements
    else {
      // If we're sure the transition exists, make sure the user has permission
      // to use it.
-      if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser)) {
+      if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser, $entity)) {
        $this->context->addViolation($constraint->invalidTransitionAccess, [
          '%original_state' => $original_state->label(),
          '%new_state' => $new_state->label(),
--- a/core/modules/content_moderation/src/StateTransitionValidation.php
+++ b/core/modules/content_moderation/src/StateTransitionValidation.php
@ -52,7 +52,10 @@ class StateTransitionValidation implements StateTransitionValidationInterface {
  /**
   * {@inheritdoc}
   */
-  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user) {
+  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL) {
+    if ($entity === NULL) {
+      @trigger_error(sprintf('Omitting the $entity parameter from %s is deprecated and will be required in Drupal 9.0.0.', __METHOD__), E_USER_DEPRECATED);
+    }
    $transition = $workflow->getTypePlugin()->getTransitionFromStateToState($original_state->id(), $new_state->id());
    return $user->hasPermission('use ' . $workflow->id() . ' transition ' . $transition->id());
  }
--- a/core/modules/content_moderation/src/StateTransitionValidationInterface.php
+++ b/core/modules/content_moderation/src/StateTransitionValidationInterface.php
@ -36,10 +36,13 @@ interface StateTransitionValidationInterface {
   *   The new workflow state.
   * @param \Drupal\Core\Session\AccountInterface $user
   *   The user to validate.
+   * @param \Drupal\Core\Entity\ContentEntityInterface $entity
+   *   (optional) The entity to be transitioned. Omitting this parameter is
+   *   deprecated and will be required in Drupal 9.0.0.
   *
   * @return bool
   *   Returns TRUE if transition is valid, otherwise FALSE.
   */
-  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user);
+  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL);

 }
--- a/core/modules/content_moderation/tests/src/Unit/StateTransitionValidationTest.php
+++ b/core/modules/content_moderation/tests/src/Unit/StateTransitionValidationTest.php
@ -10,6 +10,7 @@ use Drupal\content_moderation\StateTransitionValidation;
 use Drupal\Tests\UnitTestCase;
 use Drupal\workflow_type_test\Plugin\WorkflowType\TestType;
 use Drupal\workflows\Entity\Workflow;
+use Drupal\workflows\State;
 use Drupal\workflows\WorkflowTypeManager;
 use Prophecy\Argument;

@ -19,6 +20,38 @@ use Prophecy\Argument;
 */
 class StateTransitionValidationTest extends UnitTestCase {

+  /**
+   * A test workflow.
+   *
+   * @var \Drupal\workflows\WorkflowInterface
+   */
+  protected $workflow;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    // Create a container so that the plugin manager and workflow type can be
+    // mocked.
+    $container = new ContainerBuilder();
+    $workflow_manager = $this->prophesize(WorkflowTypeManager::class);
+    $workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
+    $container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
+    \Drupal::setContainer($container);
+
+    $this->workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
+    $this->workflow
+      ->getTypePlugin()
+      ->addState('draft', 'draft')
+      ->addState('needs_review', 'needs_review')
+      ->addState('published', 'published')
+      ->addTransition('draft', 'draft', ['draft'], 'draft')
+      ->addTransition('review', 'review', ['draft'], 'needs_review')
+      ->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
+  }
+
  /**
   * Verifies user-aware transition validation.
   *
@ -47,7 +80,10 @@ class StateTransitionValidationTest extends UnitTestCase {
    $entity->moderation_state = new \stdClass();
    $entity->moderation_state->value = $from_id;

-    $validator = new StateTransitionValidation($this->setUpModerationInformation($entity));
+    $moderation_info = $this->prophesize(ModerationInformationInterface::class);
+    $moderation_info->getWorkflowForEntity($entity)->willReturn($this->workflow);
+
+    $validator = new StateTransitionValidation($moderation_info->reveal());
    $has_transition = FALSE;
    foreach ($validator->getValidTransitions($entity, $user->reveal()) as $transition) {
      if ($transition->to()->id() === $to_id) {
@ -58,27 +94,17 @@ class StateTransitionValidationTest extends UnitTestCase {
    $this->assertSame($result, $has_transition);
  }

-  protected function setUpModerationInformation(ContentEntityInterface $entity) {
-    // Create a container so that the plugin manager and workflow type can be
-    // mocked.
-    $container = new ContainerBuilder();
-    $workflow_manager = $this->prophesize(WorkflowTypeManager::class);
-    $workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
-    $container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
-    \Drupal::setContainer($container);
-
-    $workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
-    $workflow
-      ->getTypePlugin()
-      ->addState('draft', 'draft')
-      ->addState('needs_review', 'needs_review')
-      ->addState('published', 'published')
-      ->addTransition('draft', 'draft', ['draft'], 'draft')
-      ->addTransition('review', 'review', ['draft'], 'needs_review')
-      ->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
+  /**
+   * @expectedDeprecation Omitting the $entity parameter from Drupal\content_moderation\StateTransitionValidation::isTransitionValid is deprecated and will be required in Drupal 9.0.0.
+   * @group legacy
+   */
+  public function testDeprecatedEntityParameter() {
    $moderation_info = $this->prophesize(ModerationInformationInterface::class);
-    $moderation_info->getWorkflowForEntity($entity)->willReturn($workflow);
-    return $moderation_info->reveal();
+    $state = new State($this->workflow->getTypePlugin(), 'draft', 'draft');
+    $user = $this->prophesize(AccountInterface::class);
+
+    $validator = new StateTransitionValidation($moderation_info->reveal());
+    $validator->isTransitionValid($this->workflow, $state, $state, $user->reveal());
  }

  /**