From 7f6245abfab7967f7310968d54dbb7ce40a2bf43 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Tue, 17 Feb 2015 12:51:06 +0000
Subject: [PATCH] Issue #2426389 by olli, mikey_p, idebr, amateescu: Port
SA-CONTRIB-2015-039 to D8 (views)
---
.../install/views.view.aggregator_rss_feed.yml | 5 +++--
.../src/Tests/AggregatorRenderingTest.php | 8 +++++++-
.../aggregator/src/Tests/AggregatorTestBase.php | 11 +++++++++--
.../comment/src/Plugin/views/wizard/Comment.php | 1 +
.../dblog/src/Plugin/views/wizard/Watchdog.php | 13 +++++++++++++
.../node/config/install/views.view.archive.yml | 5 +++--
.../node/config/install/views.view.glossary.yml | 5 +++--
core/modules/node/src/Plugin/views/wizard/Node.php | 1 +
.../node/src/Plugin/views/wizard/NodeRevision.php | 2 +-
.../config/install/views.view.taxonomy_term.yml | 5 +++--
.../src/Plugin/views/wizard/TaxonomyTerm.php | 1 +
.../src/Tests/Views/TaxonomyTermViewTest.php | 11 ++++++++++-
.../views_ui/src/Tests/DefaultViewsTest.php | 14 ++++++++++++++
13 files changed, 69 insertions(+), 13 deletions(-)
diff --git a/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml b/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml
index a8b00299b352..a2bdb74fc6cd 100644
--- a/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml
+++ b/core/modules/aggregator/config/install/views.view.aggregator_rss_feed.yml
@@ -19,8 +19,9 @@ display:
position: 0
display_options:
access:
- type: none
- options: { }
+ type: perm
+ options:
+ perm: 'access news feeds'
cache:
type: none
options: { }
diff --git a/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php b/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php
index efb3d2ff0bcf..6e42fa89b6f1 100644
--- a/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php
+++ b/core/modules/aggregator/src/Tests/AggregatorRenderingTest.php
@@ -113,7 +113,13 @@ public function testFeedPage() {
$cache_tags = explode(' ', $cache_tags_header);
$this->assertTrue(in_array('aggregator_feed:' . $feed->id(), $cache_tags));
- // Check the rss aggregator page.
+ // Check the rss aggregator page as anonymous user.
+ $this->drupalLogout();
+ $this->drupalGet('aggregator/rss');
+ $this->assertResponse(403);
+
+ // Check the rss aggregator page as admin.
+ $this->drupalLogin($this->adminUser);
$this->drupalGet('aggregator/rss');
$this->assertResponse(200);
$this->assertEqual($this->drupalGetHeader('Content-type'), 'application/rss+xml; charset=utf-8');
diff --git a/core/modules/aggregator/src/Tests/AggregatorTestBase.php b/core/modules/aggregator/src/Tests/AggregatorTestBase.php
index cf845db4042c..7eb51e45435e 100644
--- a/core/modules/aggregator/src/Tests/AggregatorTestBase.php
+++ b/core/modules/aggregator/src/Tests/AggregatorTestBase.php
@@ -16,6 +16,13 @@
*/
abstract class AggregatorTestBase extends WebTestBase {
+ /**
+ * A user with permission to administer feeds and create content.
+ *
+ * @var \Drupal\user\Entity\User
+ */
+ protected $adminUser;
+
/**
* Modules to install.
*
@@ -31,8 +38,8 @@ protected function setUp() {
$this->drupalCreateContentType(array('type' => 'article', 'name' => 'Article'));
}
- $web_user = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content'));
- $this->drupalLogin($web_user);
+ $this->adminUser = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content'));
+ $this->drupalLogin($this->adminUser);
}
/**
diff --git a/core/modules/comment/src/Plugin/views/wizard/Comment.php b/core/modules/comment/src/Plugin/views/wizard/Comment.php
index 8550825ec0ae..34908ad48e81 100644
--- a/core/modules/comment/src/Plugin/views/wizard/Comment.php
+++ b/core/modules/comment/src/Plugin/views/wizard/Comment.php
@@ -71,6 +71,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
+ $display_options['access']['options']['perm'] = 'access comments';
// Add a relationship to nodes.
$display_options['relationships']['node']['id'] = 'node';
diff --git a/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php b/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php
index c3d3947cb5ca..e06f7e436829 100644
--- a/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php
+++ b/core/modules/dblog/src/Plugin/views/wizard/Watchdog.php
@@ -26,4 +26,17 @@ class Watchdog extends WizardPluginBase {
*/
protected $createdColumn = 'timestamp';
+ /**
+ * {@inheritdoc}
+ */
+ protected function defaultDisplayOptions() {
+ $display_options = parent::defaultDisplayOptions();
+
+ // Add permission-based access control.
+ $display_options['access']['type'] = 'perm';
+ $display_options['access']['options']['perm'] = 'access site reports';
+
+ return $display_options;
+ }
+
}
diff --git a/core/modules/node/config/install/views.view.archive.yml b/core/modules/node/config/install/views.view.archive.yml
index a5acf593122b..0e37d99b3208 100644
--- a/core/modules/node/config/install/views.view.archive.yml
+++ b/core/modules/node/config/install/views.view.archive.yml
@@ -28,8 +28,9 @@ display:
query_tags: { }
title: 'Monthly archive'
access:
- type: none
- options: { }
+ type: perm
+ options:
+ perm: 'access content'
cache:
type: none
options: { }
diff --git a/core/modules/node/config/install/views.view.glossary.yml b/core/modules/node/config/install/views.view.glossary.yml
index 78115f77a0b3..7060764346be 100644
--- a/core/modules/node/config/install/views.view.glossary.yml
+++ b/core/modules/node/config/install/views.view.glossary.yml
@@ -29,8 +29,9 @@ display:
query_tags: { }
use_ajax: true
access:
- type: none
- options: { }
+ type: perm
+ options:
+ perm: 'access content'
cache:
type: none
options: { }
diff --git a/core/modules/node/src/Plugin/views/wizard/Node.php b/core/modules/node/src/Plugin/views/wizard/Node.php
index b9c66e0c50ca..07aa15a1e690 100644
--- a/core/modules/node/src/Plugin/views/wizard/Node.php
+++ b/core/modules/node/src/Plugin/views/wizard/Node.php
@@ -77,6 +77,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
+ $display_options['access']['options']['perm'] = 'access content';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);
diff --git a/core/modules/node/src/Plugin/views/wizard/NodeRevision.php b/core/modules/node/src/Plugin/views/wizard/NodeRevision.php
index 8c843f6e8c5c..ade28e9da13a 100644
--- a/core/modules/node/src/Plugin/views/wizard/NodeRevision.php
+++ b/core/modules/node/src/Plugin/views/wizard/NodeRevision.php
@@ -63,7 +63,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
- $display_options['access']['options']['perm'] = 'view revisions';
+ $display_options['access']['options']['perm'] = 'view all revisions';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);
diff --git a/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml b/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml
index 397db93e6ef0..3d748129ea54 100644
--- a/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml
+++ b/core/modules/taxonomy/config/install/views.view.taxonomy_term.yml
@@ -28,8 +28,9 @@ display:
replica: false
query_tags: { }
access:
- type: none
- options: { }
+ type: perm
+ options:
+ perm: 'access content'
cache:
type: none
options: { }
diff --git a/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php b/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php
index f2a1c05b6e19..3e6ce9a6c67d 100644
--- a/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php
+++ b/core/modules/taxonomy/src/Plugin/views/wizard/TaxonomyTerm.php
@@ -28,6 +28,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
+ $display_options['access']['options']['perm'] = 'access content';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);
diff --git a/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php b/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php
index 7b37eb40137a..615ae437e382 100644
--- a/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php
+++ b/core/modules/taxonomy/src/Tests/Views/TaxonomyTermViewTest.php
@@ -9,7 +9,6 @@
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
-use Drupal\Core\Language\Language;
use Drupal\language\Entity\ConfigurableLanguage;
use Drupal\user\Entity\Role;
use Drupal\views\Views;
@@ -156,6 +155,16 @@ public function testTaxonomyTermView() {
// We only want to check the no. of conditions in the query.
unset($condition['#conjunction']);
$this->assertEqual(1, count($condition));
+
+ // Clear permissions for anonymous users to check access for default views.
+ Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save();
+
+ // Test the default views disclose no data by default.
+ $this->drupalLogout();
+ $this->drupalGet('taxonomy/term/' . $term->id());
+ $this->assertResponse(403);
+ $this->drupalGet('taxonomy/term/' . $term->id() . '/feed');
+ $this->assertResponse(403);
}
}
diff --git a/core/modules/views_ui/src/Tests/DefaultViewsTest.php b/core/modules/views_ui/src/Tests/DefaultViewsTest.php
index 44af3a17f505..9143082c42d2 100644
--- a/core/modules/views_ui/src/Tests/DefaultViewsTest.php
+++ b/core/modules/views_ui/src/Tests/DefaultViewsTest.php
@@ -8,6 +8,7 @@
namespace Drupal\views_ui\Tests;
use Drupal\Core\Url;
+use Drupal\user\Entity\Role;
/**
* Tests enabling, disabling, and reverting default views via the listing page.
@@ -66,6 +67,8 @@ function testDefaultViews() {
// editing.
$this->drupalGet('admin/structure/views');
$this->assertLinkByHref('admin/structure/views/view/archive/enable');
+ // Enable it again so it can be tested for access permissions.
+ $this->clickViewsOperationLink(t('Enable'), '/archive/');
// It should now be possible to revert the view. Do that, and make sure the
// view title we added above no longer is displayed.
@@ -108,7 +111,18 @@ function testDefaultViews() {
$this->assertUrl('admin/structure/views');
$this->assertLinkByHref($edit_href);
+ // Clear permissions for anonymous users to check access for default views.
+ Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save();
+
+ // Test the default views disclose no data by default.
+ $this->drupalLogout();
+ $this->drupalGet('glossary');
+ $this->assertResponse(403);
+ $this->drupalGet('archive');
+ $this->assertResponse(403);
+
// Test deleting a view.
+ $this->drupalLogin($this->fullAdminUser);
$this->drupalGet('admin/structure/views');
$this->clickViewsOperationLink(t('Delete'), '/glossary/');
// Submit the confirmation form.
--
GitLab