diff --git a/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml b/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml index a8b00299b35..a2bdb74fc6c 100644 --- a/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml +++ b/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml @@ -19,8 +19,9 @@ display: position: 0 display_options: access: - type: none - options: { } + type: perm + options: + perm: 'access news feeds' cache: type: none options: { } diff --git a/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php b/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php index efb3d2ff0bc..6e42fa89b6f 100644 --- a/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php +++ b/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php @@ -113,7 +113,13 @@ class AggregatorRenderingTest extends AggregatorTestBase { $cache_tags = explode(' ', $cache_tags_header); $this->assertTrue(in_array('aggregator_feed:' . $feed->id(), $cache_tags)); - // Check the rss aggregator page. + // Check the rss aggregator page as anonymous user. + $this->drupalLogout(); + $this->drupalGet('aggregator/rss'); + $this->assertResponse(403); + + // Check the rss aggregator page as admin. + $this->drupalLogin($this->adminUser); $this->drupalGet('aggregator/rss'); $this->assertResponse(200); $this->assertEqual($this->drupalGetHeader('Content-type'), 'application/rss+xml; charset=utf-8'); diff --git a/core/modules/aggregator/src/Tests/AggregatorTestBase.php b/core/modules/aggregator/src/Tests/AggregatorTestBase.php index cf845db4042..7eb51e45435 100644 --- a/core/modules/aggregator/src/Tests/AggregatorTestBase.php +++ b/core/modules/aggregator/src/Tests/AggregatorTestBase.php @@ -16,6 +16,13 @@ use Drupal\aggregator\FeedInterface; */ abstract class AggregatorTestBase extends WebTestBase { + /** + * A user with permission to administer feeds and create content. + * + * @var \Drupal\user\Entity\User + */ + protected $adminUser; + /** * Modules to install. * @@ -31,8 +38,8 @@ abstract class AggregatorTestBase extends WebTestBase { $this->drupalCreateContentType(array('type' => 'article', 'name' => 'Article')); } - $web_user = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content')); - $this->drupalLogin($web_user); + $this->adminUser = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content')); + $this->drupalLogin($this->adminUser); } /** diff --git a/core/modules/comment/src/Plugin/views/wizard/Comment.php b/core/modules/comment/src/Plugin/views/wizard/Comment.php index 8550825ec0a..34908ad48e8 100644 --- a/core/modules/comment/src/Plugin/views/wizard/Comment.php +++ b/core/modules/comment/src/Plugin/views/wizard/Comment.php @@ -71,6 +71,7 @@ class Comment extends WizardPluginBase { // Add permission-based access control. $display_options['access']['type'] = 'perm'; + $display_options['access']['options']['perm'] = 'access comments'; // Add a relationship to nodes. $display_options['relationships']['node']['id'] = 'node'; diff --git a/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php b/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php index c3d3947cb5c..e06f7e43682 100644 --- a/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php +++ b/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php @@ -26,4 +26,17 @@ class Watchdog extends WizardPluginBase { */ protected $createdColumn = 'timestamp'; + /** + * {@inheritdoc} + */ + protected function defaultDisplayOptions() { + $display_options = parent::defaultDisplayOptions(); + + // Add permission-based access control. + $display_options['access']['type'] = 'perm'; + $display_options['access']['options']['perm'] = 'access site reports'; + + return $display_options; + } + } diff --git a/core/modules/node/config/install/views.view.archive.yml b/core/modules/node/config/install/views.view.archive.yml index a5acf593122..0e37d99b320 100644 --- a/core/modules/node/config/install/views.view.archive.yml +++ b/core/modules/node/config/install/views.view.archive.yml @@ -28,8 +28,9 @@ display: query_tags: { } title: 'Monthly archive' access: - type: none - options: { } + type: perm + options: + perm: 'access content' cache: type: none options: { } diff --git a/core/modules/node/config/install/views.view.glossary.yml b/core/modules/node/config/install/views.view.glossary.yml index 78115f77a0b..7060764346b 100644 --- a/core/modules/node/config/install/views.view.glossary.yml +++ b/core/modules/node/config/install/views.view.glossary.yml @@ -29,8 +29,9 @@ display: query_tags: { } use_ajax: true access: - type: none - options: { } + type: perm + options: + perm: 'access content' cache: type: none options: { } diff --git a/core/modules/node/src/Plugin/views/wizard/Node.php b/core/modules/node/src/Plugin/views/wizard/Node.php index b9c66e0c50c..07aa15a1e69 100644 --- a/core/modules/node/src/Plugin/views/wizard/Node.php +++ b/core/modules/node/src/Plugin/views/wizard/Node.php @@ -77,6 +77,7 @@ class Node extends WizardPluginBase { // Add permission-based access control. $display_options['access']['type'] = 'perm'; + $display_options['access']['options']['perm'] = 'access content'; // Remove the default fields, since we are customizing them here. unset($display_options['fields']); diff --git a/core/modules/node/src/Plugin/views/wizard/NodeRevision.php b/core/modules/node/src/Plugin/views/wizard/NodeRevision.php index 8c843f6e8c5..ade28e9da13 100644 --- a/core/modules/node/src/Plugin/views/wizard/NodeRevision.php +++ b/core/modules/node/src/Plugin/views/wizard/NodeRevision.php @@ -63,7 +63,7 @@ class NodeRevision extends WizardPluginBase { // Add permission-based access control. $display_options['access']['type'] = 'perm'; - $display_options['access']['options']['perm'] = 'view revisions'; + $display_options['access']['options']['perm'] = 'view all revisions'; // Remove the default fields, since we are customizing them here. unset($display_options['fields']); diff --git a/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml b/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml index 397db93e6ef..3d748129ea5 100644 --- a/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml +++ b/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml @@ -28,8 +28,9 @@ display: replica: false query_tags: { } access: - type: none - options: { } + type: perm + options: + perm: 'access content' cache: type: none options: { } diff --git a/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php b/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php index f2a1c05b6e1..3e6ce9a6c67 100644 --- a/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php +++ b/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php @@ -28,6 +28,7 @@ class TaxonomyTerm extends WizardPluginBase { // Add permission-based access control. $display_options['access']['type'] = 'perm'; + $display_options['access']['options']['perm'] = 'access content'; // Remove the default fields, since we are customizing them here. unset($display_options['fields']); diff --git a/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php b/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php index 7b37eb40137..615ae437e38 100644 --- a/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php +++ b/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php @@ -9,7 +9,6 @@ namespace Drupal\taxonomy\Tests\Views; use Drupal\Component\Utility\Unicode; use Drupal\Core\Field\FieldStorageDefinitionInterface; -use Drupal\Core\Language\Language; use Drupal\language\Entity\ConfigurableLanguage; use Drupal\user\Entity\Role; use Drupal\views\Views; @@ -156,6 +155,16 @@ class TaxonomyTermViewTest extends TaxonomyTestBase { // We only want to check the no. of conditions in the query. unset($condition['#conjunction']); $this->assertEqual(1, count($condition)); + + // Clear permissions for anonymous users to check access for default views. + Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save(); + + // Test the default views disclose no data by default. + $this->drupalLogout(); + $this->drupalGet('taxonomy/term/' . $term->id()); + $this->assertResponse(403); + $this->drupalGet('taxonomy/term/' . $term->id() . '/feed'); + $this->assertResponse(403); } } diff --git a/core/modules/views_ui/src/Tests/DefaultViewsTest.php b/core/modules/views_ui/src/Tests/DefaultViewsTest.php index 44af3a17f50..9143082c42d 100644 --- a/core/modules/views_ui/src/Tests/DefaultViewsTest.php +++ b/core/modules/views_ui/src/Tests/DefaultViewsTest.php @@ -8,6 +8,7 @@ namespace Drupal\views_ui\Tests; use Drupal\Core\Url; +use Drupal\user\Entity\Role; /** * Tests enabling, disabling, and reverting default views via the listing page. @@ -66,6 +67,8 @@ class DefaultViewsTest extends UITestBase { // editing. $this->drupalGet('admin/structure/views'); $this->assertLinkByHref('admin/structure/views/view/archive/enable'); + // Enable it again so it can be tested for access permissions. + $this->clickViewsOperationLink(t('Enable'), '/archive/'); // It should now be possible to revert the view. Do that, and make sure the // view title we added above no longer is displayed. @@ -108,7 +111,18 @@ class DefaultViewsTest extends UITestBase { $this->assertUrl('admin/structure/views'); $this->assertLinkByHref($edit_href); + // Clear permissions for anonymous users to check access for default views. + Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save(); + + // Test the default views disclose no data by default. + $this->drupalLogout(); + $this->drupalGet('glossary'); + $this->assertResponse(403); + $this->drupalGet('archive'); + $this->assertResponse(403); + // Test deleting a view. + $this->drupalLogin($this->fullAdminUser); $this->drupalGet('admin/structure/views'); $this->clickViewsOperationLink(t('Delete'), '/glossary/'); // Submit the confirmation form.