- Patch #91663 by sun, Berdir, swentel, blackdog, chx: permission of text...

- Patch #91663 by sun, Berdir, swentel, blackdog, chx: permission of text format is not checked when editing an entity and instead reset to something a user can use.

- Patch #91663 by sun, Berdir, swentel, blackdog, chx: permission of text...
b225882e · Dries Buytaert · 8c4d6ab0 · b225882e · b225882e · b225882e
Commit b225882e authored 15 years ago by Dries Buytaert
--- a/modules/block/block.module
+++ b/modules/block/block.module
@@ -438,7 +438,6 @@ function block_custom_block_form($edit = array()) {
    '#description' => t('The content of the block as shown to the user.'),
    '#required' => TRUE,
    '#weight' => -17,
-    '#access' => filter_access(filter_format_load($edit['format'])),
  );

  return $form;

--- a/modules/block/block.test
+++ b/modules/block/block.test
@@ -131,7 +131,7 @@ class BlockTestCase extends DrupalWebTestCase {
    $block_admin = $this->drupalCreateUser(array('administer blocks'));
    $this->drupalLogin($block_admin);
    $this->drupalGet('admin/structure/block/manage/block/' . $bid . '/configure');
-    $this->assertNoText(t('Block body'));
+    $this->assertFieldByXPath("//textarea[@name='body[value]' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Body field contains denied message'));
    $this->drupalPost('admin/structure/block/manage/block/' . $bid . '/configure', array(), t('Save block'));
    $this->assertNoText(t('Ensure that each block description is unique.'));


--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -849,6 +849,38 @@ function filter_process_format($element) {
    '#weight' => 0,
  );

+  // Lastly, disallow editing of this field if the user is not allowed to use
+  // the stored and preselected text format. But only, if that format actually
+  // exists.
+  $all_formats = filter_formats();
+  if (!isset($formats[$element['#format']]) && isset($all_formats[$element['#format']])) {
+    // Overload default values into #value to make them unalterable.
+    $element['value']['#value'] = $element['value']['#default_value'];
+    $element['format']['format']['#value'] = $element['format']['format']['#default_value'];
+
+    // Prepend #pre_render callback to replace field value with user notice
+    // prior to rendering.
+    if (!isset($element['value']['#pre_render'])) {
+      $element['value']['#pre_render'] = array();
+    }
+    array_unshift($element['value']['#pre_render'], 'filter_form_access_denied');
+
+    // Cosmetic adjustments.
+    if (isset($element['value']['#rows'])) {
+      $element['value']['#rows'] = 3;
+    }
+    $element['value']['#disabled'] = TRUE;
+    $element['value']['#resizable'] = FALSE;
+
+    // Hide the text format selector and any other child element (such as text
+    // field's summary).
+    foreach (element_children($element) as $key) {
+      if ($key != 'value') {
+        $element[$key]['#access'] = FALSE;
+      }
+    }
+  }
+
  return $element;
 }

@@ -884,6 +916,22 @@ function filter_form_after_build($element, &$form_state) {
  return $element;
 }

+/**
+ * #pre_render callback for #type 'text_format' to hide field value from prying eyes.
+ *
+ * To not break form processing and previews if a user does not have access to a
+ * stored text format, the expanded form elements in filter_process_format() are
+ * forced to take over the stored #default_values for 'value' and 'format'.
+ * However, to prevent the unfiltered, original #value from being displayed to
+ * the user, we replace it with a friendly notice here.
+ *
+ * @see filter_process_format()
+ */
+function filter_form_access_denied($element) {
+  $element['#value'] = t('This field has been disabled because you do not have sufficient permissions to edit it.');
+  return $element;
+}
+
 /**
 * Render a text format-enabled form element.
 *

--- a/modules/filter/filter.test
+++ b/modules/filter/filter.test
@@ -395,7 +395,7 @@ class FilterAdminTestCase extends DrupalWebTestCase {
  }
 }

-class FilterAccessTestCase extends DrupalWebTestCase {
+class FilterFormatAccessTestCase extends DrupalWebTestCase {
  protected $admin_user;
  protected $web_user;
  protected $allowed_format;
@@ -403,8 +403,8 @@ class FilterAccessTestCase extends DrupalWebTestCase {

  public static function getInfo() {
    return array(
-      'name' => 'Filter access functionality',
-      'description' => 'Test the filter access system.',
+      'name' => 'Filter format access',
+      'description' => 'Tests access to text formats.',
      'group' => 'Filter',
    );
  }
@@ -412,8 +412,15 @@ class FilterAccessTestCase extends DrupalWebTestCase {
  function setUp() {
    parent::setUp();

+    $this->full_html_format = db_query_range('SELECT * FROM {filter_format} WHERE name = :name', 0, 1, array(':name' => 'Full HTML'))->fetchObject();
+
    // Create two text formats and grant a regular user access to one of them.
-    $this->admin_user = $this->drupalCreateUser(array('administer filters'));
+    $this->admin_user = $this->drupalCreateUser(array(
+      'administer filters',
+      'create page content',
+      'edit any page content',
+      filter_permission_name($this->full_html_format),
+    ));
    $this->drupalLogin($this->admin_user);
    $formats = array();
    for ($i = 0; $i < 2; $i++) {
@@ -424,7 +431,11 @@ class FilterAccessTestCase extends DrupalWebTestCase {
      $formats[] = filter_format_load($format_id);
    }
    list($this->allowed_format, $this->disallowed_format) = $formats;
-    $this->web_user = $this->drupalCreateUser(array('create page content', filter_permission_name($this->allowed_format)));
+
+    $this->web_user = $this->drupalCreateUser(array(
+      'create page content',
+      filter_permission_name($this->allowed_format),
+    ));
  }

  function testFormatPermissions() {
@@ -474,6 +485,61 @@ class FilterAccessTestCase extends DrupalWebTestCase {
    $this->assertTrue(in_array(filter_fallback_format(), array_keys(filter_get_formats_by_role($rid))), t('The fallback format appears in the list of allowed formats for any role.'));
  }

+  /**
+   * Test editing a page using a disallowed text format.
+   *
+   * Verifies that a regular user is able to edit a page, but is not allowed to
+   * change the fields which use an inaccessible text format.
+   */
+  function testFormatWidgetPermissions() {
+    $langcode = LANGUAGE_NONE;
+    $title_key = "title";
+    $body_value_key = "body[$langcode][0][value]";
+    $body_format_key = "body[$langcode][0][format]";
+
+    // Create node to edit.
+    $this->drupalLogin($this->admin_user);
+    $edit = array();
+    $edit['title'] = $this->randomName(8);
+    $edit[$body_value_key] = $this->randomName(16);
+    $edit[$body_format_key] = $this->full_html_format->format;
+    $this->drupalPost('node/add/page', $edit, t('Save'));
+    $node = $this->drupalGetNodeByTitle($edit['title']);
+
+    // Try to edit with a less privileged user.
+    $this->moderator = $this->drupalCreateUser(array(
+      'edit any page content',
+      'create page content',
+    ));
+    $this->drupalLogin($this->moderator);
+    $this->drupalGet('node/' . $node->nid);
+    $this->clickLink(t('Edit'));
+
+    // Verify that body field is read-only and contains replacement value.
+    $this->assertFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Text format access denied message found.'));
+
+    // Verify that title can be changed, but preview displays original body.
+    $new_edit = array();
+    $new_edit['title'] = $this->randomName(8);
+    $this->drupalPost(NULL, $new_edit, t('Preview'));
+    $this->assertText($edit[$body_value_key], t('Old body found in preview.'));
+
+    // Save and verify that only the title was changed.
+    $this->drupalPost(NULL, $new_edit, t('Save'));
+    $this->assertNoText($edit['title'], t('Old title not found.'));
+    $this->assertText($new_edit['title'], t('New title found.'));
+    $this->assertText($edit[$body_value_key], t('Old body found.'));
+
+    // Delete the Full HTML text format.
+    filter_format_delete($this->full_html_format);
+    $this->resetFilterCaches();
+
+    // Verify that body field can be edited and a new format can be selected.
+    $this->drupalGet('node/' . $node->nid . '/edit');
+    $this->assertNoFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", NULL, t('Text format access denied message not found.'));
+    $this->assertFieldByXPath("//select[@name='$body_format_key']", NULL, t('Text format selector found.'));
+  }
+
  /**
   * Returns the expected HTML for a particular text format selector.
   *