From 33c4319f80d468cd11c0b50635d85b9b3c883f38 Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Tue, 19 Oct 2021 10:38:15 +0100
Subject: [PATCH] Issue #2744381 by Berdir, Wim Leers, mohit_aghera, mstrelan,
 lahoosascoots, xjm, dawehner, effulgentsia, larowlan, cilefen:
 NodeAddAccessCheck allows roles holding the "Administer content types"
 permission to create nodes

---
 .../modules/datetime/tests/src/Functional/DateTestBase.php | 1 +
 .../tests/src/Functional/ManageFieldsFunctionalTest.php    | 1 +
 core/modules/node/node.routing.yml                         | 4 ++--
 core/modules/node/node.services.yml                        | 1 +
 core/modules/node/src/Access/NodeAddAccessCheck.php        | 5 +++++
 .../node/tests/src/Functional/NodeAccessMenuLinkTest.php   | 1 +
 .../modules/node/tests/src/Functional/NodeCreationTest.php | 7 +++++++
 .../node/tests/src/Functional/NodeTypeTranslationTest.php  | 1 +
 .../tests/src/Functional/PageCacheTagsIntegrationTest.php  | 2 ++
 9 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/core/modules/datetime/tests/src/Functional/DateTestBase.php b/core/modules/datetime/tests/src/Functional/DateTestBase.php
index 805ea0d4d9d4..4fce222082a9 100644
--- a/core/modules/datetime/tests/src/Functional/DateTestBase.php
+++ b/core/modules/datetime/tests/src/Functional/DateTestBase.php
@@ -97,6 +97,7 @@ protected function setUp() {
       'administer entity_test content',
       'administer entity_test form display',
       'administer content types',
+      'bypass node access',
       'administer node fields',
     ]);
     $this->drupalLogin($web_user);
diff --git a/core/modules/field_ui/tests/src/Functional/ManageFieldsFunctionalTest.php b/core/modules/field_ui/tests/src/Functional/ManageFieldsFunctionalTest.php
index 17fca561265b..85b056e6575b 100644
--- a/core/modules/field_ui/tests/src/Functional/ManageFieldsFunctionalTest.php
+++ b/core/modules/field_ui/tests/src/Functional/ManageFieldsFunctionalTest.php
@@ -85,6 +85,7 @@ protected function setUp(): void {
     $admin_user = $this->drupalCreateUser([
       'access content',
       'administer content types',
+      'bypass node access',
       'administer node fields',
       'administer node form display',
       'administer node display',
diff --git a/core/modules/node/node.routing.yml b/core/modules/node/node.routing.yml
index 962f21c0ccdb..7d3f2f3ea8ca 100644
--- a/core/modules/node/node.routing.yml
+++ b/core/modules/node/node.routing.yml
@@ -22,7 +22,7 @@ node.add_page:
   options:
     _node_operation_route: TRUE
   requirements:
-    _node_add_access: 'node'
+    _entity_create_any_access: 'node'
 
 node.add:
   path: '/node/add/{node_type}'
@@ -30,7 +30,7 @@ node.add:
     _entity_form: 'node.default'
     _title_callback: '\Drupal\node\Controller\NodeController::addPageTitle'
   requirements:
-    _node_add_access: 'node:{node_type}'
+    _entity_create_access: 'node:{node_type}'
   options:
     _node_operation_route: TRUE
     parameters:
diff --git a/core/modules/node/node.services.yml b/core/modules/node/node.services.yml
index 25759b3be176..f4c70183dbb8 100644
--- a/core/modules/node/node.services.yml
+++ b/core/modules/node/node.services.yml
@@ -16,6 +16,7 @@ services:
   access_check.node.add:
     class: Drupal\node\Access\NodeAddAccessCheck
     arguments: ['@entity_type.manager']
+    deprecated: The "%service_id%" service is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use _entity_create_access or _entity_create_any_access access checks instead. See https://www.drupal.org/node/2836069
     tags:
       - { name: access_check, applies_to: _node_add_access }
   access_check.node.preview:
diff --git a/core/modules/node/src/Access/NodeAddAccessCheck.php b/core/modules/node/src/Access/NodeAddAccessCheck.php
index 5a61b05d9494..1829b5d54fca 100644
--- a/core/modules/node/src/Access/NodeAddAccessCheck.php
+++ b/core/modules/node/src/Access/NodeAddAccessCheck.php
@@ -12,6 +12,11 @@
  * Determines access to for node add pages.
  *
  * @ingroup node_access
+ *
+ * @deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use
+ *   _entity_create_access or _entity_create_any_access access checks instead.
+ *
+ * @see https://www.drupal.org/node/2836069
  */
 class NodeAddAccessCheck implements AccessInterface {
 
diff --git a/core/modules/node/tests/src/Functional/NodeAccessMenuLinkTest.php b/core/modules/node/tests/src/Functional/NodeAccessMenuLinkTest.php
index 05360296d84c..d003f0651576 100644
--- a/core/modules/node/tests/src/Functional/NodeAccessMenuLinkTest.php
+++ b/core/modules/node/tests/src/Functional/NodeAccessMenuLinkTest.php
@@ -38,6 +38,7 @@ protected function setUp(): void {
     $this->contentAdminUser = $this->drupalCreateUser([
       'access content',
       'administer content types',
+      'bypass node access',
       'administer menu',
     ]);
 
diff --git a/core/modules/node/tests/src/Functional/NodeCreationTest.php b/core/modules/node/tests/src/Functional/NodeCreationTest.php
index 5184c20bc28e..2cbb0fd3c4ba 100644
--- a/core/modules/node/tests/src/Functional/NodeCreationTest.php
+++ b/core/modules/node/tests/src/Functional/NodeCreationTest.php
@@ -108,6 +108,13 @@ public function testNodeCreation() {
     $this->drupalLogin($admin_user);
     $this->drupalGet('node/add/page');
     $this->assertSession()->fieldNotExists('edit-revision', NULL);
+
+    // Check that a user with administer content types permission is not
+    // allowed to create content.
+    $content_types_admin = $this->drupalCreateUser(['administer content types']);
+    $this->drupalLogin($content_types_admin);
+    $this->drupalGet('node/add/page');
+    $this->assertSession()->statusCodeEquals(403);
   }
 
   /**
diff --git a/core/modules/node/tests/src/Functional/NodeTypeTranslationTest.php b/core/modules/node/tests/src/Functional/NodeTypeTranslationTest.php
index fbfb37979404..07dd0af2a552 100644
--- a/core/modules/node/tests/src/Functional/NodeTypeTranslationTest.php
+++ b/core/modules/node/tests/src/Functional/NodeTypeTranslationTest.php
@@ -59,6 +59,7 @@ protected function setUp(): void {
 
     $admin_permissions = [
       'administer content types',
+      'bypass node access',
       'administer node fields',
       'administer languages',
       'administer site configuration',
diff --git a/core/modules/page_cache/tests/src/Functional/PageCacheTagsIntegrationTest.php b/core/modules/page_cache/tests/src/Functional/PageCacheTagsIntegrationTest.php
index baad8c5309d9..65539ecb6dcf 100644
--- a/core/modules/page_cache/tests/src/Functional/PageCacheTagsIntegrationTest.php
+++ b/core/modules/page_cache/tests/src/Functional/PageCacheTagsIntegrationTest.php
@@ -109,6 +109,7 @@ public function testPageCacheTags() {
       'node:' . $node_1->id(),
       'user:' . $author_1->id(),
       'config:filter.format.basic_html',
+      'config:node_type_list',
       'config:color.theme.bartik',
       'config:system.menu.account',
       'config:system.menu.tools',
@@ -150,6 +151,7 @@ public function testPageCacheTags() {
       'user:' . $author_2->id(),
       'config:color.theme.bartik',
       'config:filter.format.full_html',
+      'config:node_type_list',
       'config:system.menu.account',
       'config:system.menu.tools',
       'config:system.menu.footer',
-- 
GitLab