Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2426389 by olli, mikey_p, idebr, amateescu: Port SA-CONTRIB-2015-039 to D8 (views)

8.0.x
Alex Pott 2015-02-17 12:51:06 +00:00
parent fc49a03af8
commit 7f6245abfa
13 changed files with 69 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml
View File

@ -19,8 +19,9 @@ display:
position: 0
display_options:
access:
type: none
options: { }
type: perm
options:
perm: 'access news feeds'
cache:
type: none
options: { }

8
core/modules/aggregator/src/Tests/AggregatorRenderingTest.php
View File

@ -113,7 +113,13 @@ class AggregatorRenderingTest extends AggregatorTestBase {
$cache_tags = explode(' ', $cache_tags_header);
$this->assertTrue(in_array('aggregator_feed:' . $feed->id(), $cache_tags));
// Check the rss aggregator page.
// Check the rss aggregator page as anonymous user.
$this->drupalLogout();
$this->drupalGet('aggregator/rss');
$this->assertResponse(403);
// Check the rss aggregator page as admin.
$this->drupalLogin($this->adminUser);
$this->drupalGet('aggregator/rss');
$this->assertResponse(200);
$this->assertEqual($this->drupalGetHeader('Content-type'), 'application/rss+xml; charset=utf-8');

11
core/modules/aggregator/src/Tests/AggregatorTestBase.php
View File

@ -16,6 +16,13 @@ use Drupal\aggregator\FeedInterface;
*/
abstract class AggregatorTestBase extends WebTestBase {
/**
* A user with permission to administer feeds and create content.
*
* @var \Drupal\user\Entity\User
*/
protected $adminUser;
/**
* Modules to install.
*
@ -31,8 +38,8 @@ abstract class AggregatorTestBase extends WebTestBase {
$this->drupalCreateContentType(array('type' => 'article', 'name' => 'Article'));
}
$web_user = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content'));
$this->drupalLogin($web_user);
$this->adminUser = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content'));
$this->drupalLogin($this->adminUser);
}
/**

1
core/modules/comment/src/Plugin/views/wizard/Comment.php
View File

@ -71,6 +71,7 @@ class Comment extends WizardPluginBase {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access comments';
// Add a relationship to nodes.
$display_options['relationships']['node']['id'] = 'node';

13
core/modules/dblog/src/Plugin/views/wizard/Watchdog.php
View File

@ -26,4 +26,17 @@ class Watchdog extends WizardPluginBase {
*/
protected $createdColumn = 'timestamp';
/**
* {@inheritdoc}
*/
protected function defaultDisplayOptions() {
$display_options = parent::defaultDisplayOptions();
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access site reports';
return $display_options;
}
}

5
core/modules/node/config/install/views.view.archive.yml
View File

@ -28,8 +28,9 @@ display:
query_tags: { }
title: 'Monthly archive'
access:
type: none
options: { }
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }

5
core/modules/node/config/install/views.view.glossary.yml
View File

@ -29,8 +29,9 @@ display:
query_tags: { }
use_ajax: true
access:
type: none
options: { }
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }

1
core/modules/node/src/Plugin/views/wizard/Node.php
View File

@ -77,6 +77,7 @@ class Node extends WizardPluginBase {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access content';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);

2
core/modules/node/src/Plugin/views/wizard/NodeRevision.php
View File

@ -63,7 +63,7 @@ class NodeRevision extends WizardPluginBase {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'view revisions';
$display_options['access']['options']['perm'] = 'view all revisions';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);

5
core/modules/taxonomy/config/install/views.view.taxonomy_term.yml
View File

@ -28,8 +28,9 @@ display:
replica: false
query_tags: { }
access:
type: none
options: { }
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }

1
core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php
View File

@ -28,6 +28,7 @@ class TaxonomyTerm extends WizardPluginBase {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access content';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);

11
core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php
View File

@ -9,7 +9,6 @@ namespace Drupal\taxonomy\Tests\Views;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
use Drupal\Core\Language\Language;
use Drupal\language\Entity\ConfigurableLanguage;
use Drupal\user\Entity\Role;
use Drupal\views\Views;
@ -156,6 +155,16 @@ class TaxonomyTermViewTest extends TaxonomyTestBase {
// We only want to check the no. of conditions in the query.
unset($condition['#conjunction']);
$this->assertEqual(1, count($condition));
// Clear permissions for anonymous users to check access for default views.
Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save();
// Test the default views disclose no data by default.
$this->drupalLogout();
$this->drupalGet('taxonomy/term/' . $term->id());
$this->assertResponse(403);
$this->drupalGet('taxonomy/term/' . $term->id() . '/feed');
$this->assertResponse(403);
}
}

14
core/modules/views_ui/src/Tests/DefaultViewsTest.php
View File

@ -8,6 +8,7 @@
namespace Drupal\views_ui\Tests;
use Drupal\Core\Url;
use Drupal\user\Entity\Role;
/**
* Tests enabling, disabling, and reverting default views via the listing page.
@ -66,6 +67,8 @@ class DefaultViewsTest extends UITestBase {
// editing.
$this->drupalGet('admin/structure/views');
$this->assertLinkByHref('admin/structure/views/view/archive/enable');
// Enable it again so it can be tested for access permissions.
$this->clickViewsOperationLink(t('Enable'), '/archive/');
// It should now be possible to revert the view. Do that, and make sure the
// view title we added above no longer is displayed.
@ -108,7 +111,18 @@ class DefaultViewsTest extends UITestBase {
$this->assertUrl('admin/structure/views');
$this->assertLinkByHref($edit_href);
// Clear permissions for anonymous users to check access for default views.
Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save();
// Test the default views disclose no data by default.
$this->drupalLogout();
$this->drupalGet('glossary');
$this->assertResponse(403);
$this->drupalGet('archive');
$this->assertResponse(403);
// Test deleting a view.
$this->drupalLogin($this->fullAdminUser);
$this->drupalGet('admin/structure/views');
$this->clickViewsOperationLink(t('Delete'), '/glossary/');
// Submit the confirmation form.