Issue #1302228 by xjm, yched, kathyh, chx, tim.plunkett: Fixed field_has_data() returns inconsistent results – possible data loss.

2012-04-19 12:16:57 +09:00 · 2012-04-19 12:16:57 +09:00 · ec59f02c12
parent 6ead5e0750
commit ec59f02c12
3 changed files with 84 additions and 1 deletions
--- a/core/modules/field/field.module
+++ b/core/modules/field/field.module
@ -959,6 +959,10 @@ function field_has_data($field) {
    ->fieldCondition($field)
    ->range(0, 1)
    ->count()
+    // Neutralize the 'entity_field_access' query tag added by
+    // field_sql_storage_field_storage_query(). The result cannot depend on the
+    // access grants of the current user.
+    ->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT')
    ->execute();
 }

--- a/core/modules/field/modules/field_sql_storage/field_sql_storage.module
+++ b/core/modules/field/modules/field_sql_storage/field_sql_storage.module
@ -515,7 +515,12 @@ function field_sql_storage_field_storage_query(EntityFieldQuery $query) {
    }
    else {
      $select_query = db_select($tablename, $table_alias);
-      $select_query->addTag('entity_field_access');
+      // Allow queries internal to the Field API to opt out of the access
+      // check, for situations where the query's results should not depend on
+      // the access grants for the current user.
+      if (!isset($query->tags['DANGEROUS_ACCESS_CHECK_OPT_OUT'])) {
+        $select_query->addTag('entity_field_access');
+      }
      $select_query->addMetaData('base_table', $tablename);
      $select_query->fields($table_alias, array('entity_type', 'entity_id', 'revision_id', 'bundle'));
      $field_base_table = $table_alias;
--- a/core/modules/node/node.test
+++ b/core/modules/node/node.test
@ -2510,3 +2510,77 @@ class NodeAccessPagerTestCase extends DrupalWebTestCase {
    $this->assertNoRaw('page=2', t('No third page exists.'));
  }
 }
+
+/**
+ * Tests the interaction of the node access system with fields.
+ */
+class NodeAccessFieldTestCase extends NodeWebTestCase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Node access and fields',
+      'description' => 'Tests the interaction of the node access system with fields.',
+      'group' => 'Node',
+    );
+  }
+
+  public function setUp() {
+    parent::setUp('node_access_test', 'field_ui');
+    node_access_rebuild();
+
+    // Create some users.
+    $this->admin_user = $this->drupalCreateUser(array('access content', 'bypass node access'));
+    $this->content_admin_user = $this->drupalCreateUser(array('access content', 'administer content types'));
+
+    // Add a custom field to the page content type.
+    $this->field_name = drupal_strtolower($this->randomName() . '_field_name');
+    $this->field = field_create_field(array('field_name' => $this->field_name, 'type' => 'text'));
+    $this->instance = field_create_instance(array(
+      'field_name' => $this->field_name,
+      'entity_type' => 'node',
+      'bundle' => 'page',
+    ));
+  }
+
+  /**
+   * Tests administering fields when node access is restricted.
+   */
+  function testNodeAccessAdministerField() {
+    // Create a page node.
+    $langcode = LANGUAGE_NOT_SPECIFIED;
+    $field_data = array();
+    $value = $field_data[$langcode][0]['value'] = $this->randomName();
+    $node = $this->drupalCreateNode(array($this->field_name => $field_data));
+
+    // Log in as the administrator and confirm that the field value is present.
+    $this->drupalLogin($this->admin_user);
+    $this->drupalGet("node/{$node->nid}");
+    $this->assertText($value, 'The saved field value is visible to an administrator.');
+
+    // Log in as the content admin and try to view the node.
+    $this->drupalLogin($this->content_admin_user);
+    $this->drupalGet("node/{$node->nid}");
+    $this->assertText('Access denied', 'Access is denied for the content admin.');
+
+    // Modify the field default as the content admin.
+    $edit = array();
+    $default = 'Sometimes words have two meanings';
+    $edit["{$this->field_name}[$langcode][0][value]"] = $default;
+    $this->drupalPost(
+      "admin/structure/types/manage/page/fields/{$this->field_name}",
+      $edit,
+      t('Save settings')
+    );
+
+    // Log in as the administrator.
+    $this->drupalLogin($this->admin_user);
+
+    // Confirm that the existing node still has the correct field value.
+    $this->drupalGet("node/{$node->nid}");
+    $this->assertText($value, 'The original field value is visible to an administrator.');
+
+    // Confirm that the new default value appears when creating a new node.
+    $this->drupalGet('node/add/page');
+    $this->assertRaw($default, 'The updated default value is displayed when creating a new node.');
+  }
+}