From 92e613aefac3af2c861e8118a2fe98f399521c50 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Wed, 19 Apr 2017 11:07:22 -0500
Subject: [PATCH] SA-CORE-2017-002 by alexpott, xjm, larowlan, Wim Leers,
 samuel.mortenson, Berdir, dawehner, tstoeckler, catch

(cherry picked from commit 6b7f47fc3a9e08aa64a73faaa25dd0ddb8f33dd8)
---
 .../Core/Entity/EntityAccessControlHandler.php      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
index d1d43ee900b3..3b16d1cddbc3 100644
--- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
@@ -303,6 +303,19 @@ public function fieldAccess($operation, FieldDefinitionInterface $field_definiti
     // Get the default access restriction that lives within this field.
     $default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed();
 
+    // Explicitly disallow changing the entity ID and entity UUID.
+    if ($operation === 'edit') {
+      if ($field_definition->getName() === $this->entityType->getKey('id')) {
+        return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed') : FALSE;
+      }
+      elseif ($field_definition->getName() === $this->entityType->getKey('uuid')) {
+        // UUIDs can be set when creating an entity.
+        if ($items && ($entity = $items->getEntity()) && !$entity->isNew()) {
+          return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE;
+        }
+      }
+    }
+
     // Get the default access restriction as specified by the access control
     // handler.
     $entity_default = $this->checkFieldAccess($operation, $field_definition, $account, $items);
-- 
GitLab