Issue #1558478 by tim.plunkett, Berdir, jhodgdon: Fixed SA-CORE-2012-002 -...

Issue #1558478 by tim.plunkett, Berdir, jhodgdon: Fixed SA-CORE-2012-002 - Access bypass - content administration.

Issue #1558478 by tim.plunkett, Berdir, jhodgdon: Fixed SA-CORE-2012-002 -...
c6d2b831 · Angie Byron · f047851a · c6d2b831 · c6d2b831
Commit c6d2b831 authored 12 years ago by Angie Byron
--- a/core/modules/node/lib/Drupal/node/Tests/NodeQueryAlterTest.php
+++ b/core/modules/node/lib/Drupal/node/Tests/NodeQueryAlterTest.php
@@ -52,9 +52,9 @@ function setUp() {

    // Create user with simple node access permission. The 'node test view'
    // permission is implemented and granted by the node_access_test module.
-    $this->accessUser = $this->drupalCreateUser(array('access content', 'node test view'));
-    $this->noAccessUser = $this->drupalCreateUser(array('access content'));
-    $this->noAccessUser2 = $this->drupalCreateUser(array('access content'));
+    $this->accessUser = $this->drupalCreateUser(array('access content overview', 'access content', 'node test view'));
+    $this->noAccessUser = $this->drupalCreateUser(array('access content overview', 'access content'));
+    $this->noAccessUser2 = $this->drupalCreateUser(array('access content overview', 'access content'));
  }

  /**
@@ -67,11 +67,19 @@ function testNodeQueryAlterWithUI() {
    $this->assertText('Yes, 4 nodes', "4 nodes were found for access user");
    $this->assertNoText('Exception', "No database exception");

+    // Test the content overview page.
+    $this->drupalGet('admin/content');
+    $table_rows = $this->xpath('//tbody/tr');
+    $this->assertEqual(4, count($table_rows), "4 nodes were found for access user");
+
    // Verify that a user with no access permission cannot see nodes.
    $this->drupalLogin($this->noAccessUser);
    $this->drupalGet('node_access_test_page');
    $this->assertText('No nodes', "No nodes were found for no access user");
    $this->assertNoText('Exception', "No database exception");
+
+    $this->drupalGet('admin/content');
+    $this->assertText(t('No content available.'));
  }

  /**

--- a/core/modules/node/node.admin.inc
+++ b/core/modules/node/node.admin.inc
@@ -471,6 +471,7 @@ function node_admin_nodes() {
    ->fields('n',array('nid'))
    ->limit(50)
    ->orderByHeader($header)
+    ->addTag('node_access')
    ->execute()
    ->fetchCol();
  $nodes = node_load_multiple($nids);