From 78f8ee05bbc61377664badc1831702d8e0f599c4 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Mon, 16 Dec 2019 11:23:15 +0000
Subject: [PATCH] Issue #3018148 by Lendude, tstoeckler: Views bulk forms
 perform redirects to the confirmation page even if it is not allowed for the
 user

---
 .../src/Functional/Views/BulkFormAccessTest.php  | 16 ++++++++++++++++
 .../views/src/Plugin/views/field/BulkForm.php    | 14 +++++++++-----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/core/modules/node/tests/src/Functional/Views/BulkFormAccessTest.php b/core/modules/node/tests/src/Functional/Views/BulkFormAccessTest.php
index 1b440cf2f20..0de0ed127a3 100644
--- a/core/modules/node/tests/src/Functional/Views/BulkFormAccessTest.php
+++ b/core/modules/node/tests/src/Functional/Views/BulkFormAccessTest.php
@@ -128,6 +128,22 @@ class BulkFormAccessTest extends NodeTestBase {
     // Re-load the node and check the status.
     $node = Node::load($node->id());
     $this->assertTrue($node->isPublished(), 'The node is still published.');
+
+    // Try to delete the node and check that we are not redirected to the
+    // conformation form but stay on the content view.
+    $this->assertNotEmpty($this->cssSelect('#views-form-test-node-bulk-form-page-1'));
+    $edit = [
+      'node_bulk_form[0]' => TRUE,
+      'action' => 'node_delete_action',
+    ];
+    $this->drupalPostForm('test-node-bulk-form', $edit, t('Apply to selected items'));
+    // Test that the action message isn't shown.
+    $this->assertRaw(new FormattableMarkup('No access to execute %action on the @entity_type_label %entity_label.', [
+      '%action' => 'Delete content',
+      '@entity_type_label' => 'Content',
+      '%entity_label' => $node->label(),
+    ]));
+    $this->assertNotEmpty($this->cssSelect('#views-form-test-node-bulk-form-page-1'));
   }
 
   /**
diff --git a/core/modules/views/src/Plugin/views/field/BulkForm.php b/core/modules/views/src/Plugin/views/field/BulkForm.php
index 74f927ff092..ec4426e9562 100644
--- a/core/modules/views/src/Plugin/views/field/BulkForm.php
+++ b/core/modules/views/src/Plugin/views/field/BulkForm.php
@@ -402,6 +402,12 @@ class BulkForm extends FieldPluginBase implements CacheableDependencyInterface {
         $entities[$bulk_form_key] = $entity;
       }
 
+      // If there were entities selected but the action isn't allowed on any of
+      // them, we don't need to do anything further.
+      if (!$count) {
+        return;
+      }
+
       $action->execute($entities);
 
       $operation_definition = $action->getPluginDefinition();
@@ -414,11 +420,9 @@ class BulkForm extends FieldPluginBase implements CacheableDependencyInterface {
       else {
         // Don't display the message unless there are some elements affected and
         // there is no confirmation form.
-        if ($count) {
-          $this->messenger->addStatus($this->formatPlural($count, '%action was applied to @count item.', '%action was applied to @count items.', [
-            '%action' => $action->label(),
-          ]));
-        }
+        $this->messenger->addStatus($this->formatPlural($count, '%action was applied to @count item.', '%action was applied to @count items.', [
+          '%action' => $action->label(),
+        ]));
       }
     }
   }