From 2f563ab520c7cb14ca5d883ae920b4e7f61c1461 Mon Sep 17 00:00:00 2001 From: Pantheon Automation Date: Wed, 21 Sep 2016 10:51:55 -0700 Subject: [PATCH] Update to Drupal 8.1.10. For more information, see https://www.drupal.org/project/drupal/releases/8.1.10 --- core/lib/Drupal.php | 2 +- .../DefaultExceptionSubscriber.php | 7 +- .../comment/src/CommentFieldItemList.php | 26 +++++ .../comment/src/Tests/CommentNonNodeTest.php | 1 + .../CommentStatusFieldAccessTest.php | 100 ++++++++++++++++++ core/modules/config/config.module | 21 ++-- .../config/src/Tests/ConfigExportUITest.php | 6 ++ 7 files changed, 151 insertions(+), 12 deletions(-) create mode 100644 core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php index 6539eb6d9..33ef55410 100644 --- a/core/lib/Drupal.php +++ b/core/lib/Drupal.php @@ -81,7 +81,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '8.1.9'; + const VERSION = '8.1.10'; /** * Core API compatibility. diff --git a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php index 4049f865b..4737e8031 100644 --- a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php +++ b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php @@ -188,13 +188,16 @@ class DefaultExceptionSubscriber implements EventSubscriberInterface { if (!method_exists($this, $method)) { if ($exception instanceof HttpExceptionInterface) { $this->onFormatUnknown($event); + $response = $event->getResponse(); + $response->headers->set('Content-Type', 'text/plain'); } else { $this->onHtml($event); } - return; } - $this->$method($event); + else { + $this->$method($event); + } } /** diff --git a/core/modules/comment/src/CommentFieldItemList.php b/core/modules/comment/src/CommentFieldItemList.php index de00c7d71..7a4cdad4e 100644 --- a/core/modules/comment/src/CommentFieldItemList.php +++ b/core/modules/comment/src/CommentFieldItemList.php @@ -2,7 +2,9 @@ namespace Drupal\comment; +use Drupal\Core\Access\AccessResult; use Drupal\Core\Field\FieldItemList; +use Drupal\Core\Session\AccountInterface; /** * Defines a item list class for comment fields. @@ -37,4 +39,28 @@ class CommentFieldItemList extends FieldItemList { return parent::offsetExists($offset); } + /** + * {@inheritdoc} + */ + public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE) { + if ($operation === 'edit') { + // Only users with administer comments permission can edit the comment + // status field. + $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'administer comments'); + return $return_as_object ? $result : $result->isAllowed(); + } + if ($operation === 'view') { + // Only users with either post comments or access comments permisison can + // view the field value. The formatter, + // Drupal\comment\Plugin\Field\FieldFormatter\CommentDefaultFormatter, + // takes care of showing the thread and form based on individual + // permissions, so if a user only has ‘post comments’ access, only the + // form will be shown and not the comments. + $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'access comments') + ->orIf(AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'post comments')); + return $return_as_object ? $result : $result->isAllowed(); + } + return parent::access($operation, $account, $return_as_object); + } + } diff --git a/core/modules/comment/src/Tests/CommentNonNodeTest.php b/core/modules/comment/src/Tests/CommentNonNodeTest.php index 1b37c1f79..e43e0bc42 100644 --- a/core/modules/comment/src/Tests/CommentNonNodeTest.php +++ b/core/modules/comment/src/Tests/CommentNonNodeTest.php @@ -384,6 +384,7 @@ class CommentNonNodeTest extends WebTestBase { 'administer entity_test fields', 'view test entity', 'administer entity_test content', + 'administer comments', )); $this->drupalLogin($limited_user); $this->drupalGet('entity_test/structure/entity_test/fields/entity_test.entity_test.comment'); diff --git a/core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php b/core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php new file mode 100644 index 000000000..504b3bacf --- /dev/null +++ b/core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php @@ -0,0 +1,100 @@ + 'article', + 'name' => t('Article'), + ]); + $node_type->save(); + $this->nodeAuthor = $this->drupalCreateUser([ + 'create article content', + 'skip comment approval', + 'post comments', + 'edit own comments', + 'access comments', + 'administer nodes', + ]); + $this->commentAdmin = $this->drupalCreateUser([ + 'administer comments', + 'create article content', + 'edit own comments', + 'skip comment approval', + 'post comments', + 'access comments', + 'administer nodes', + ]); + $this->addDefaultCommentField('node', 'article'); + } + + /** + * Tests comment status field access. + */ + public function testCommentStatusFieldAccessStatus() { + $this->drupalLogin($this->nodeAuthor); + $this->drupalGet('node/add/article'); + $assert = $this->assertSession(); + $assert->fieldNotExists('comment[0][status]'); + $this->submitForm([ + 'title[0][value]' => 'Node 1', + ], t('Save and publish')); + $assert->fieldExists('subject[0][value]'); + $this->drupalLogin($this->commentAdmin); + $this->drupalGet('node/add/article'); + $assert->fieldExists('comment[0][status]'); + $this->submitForm([ + 'title[0][value]' => 'Node 2', + ], t('Save and publish')); + $assert->fieldExists('subject[0][value]'); + } + +} diff --git a/core/modules/config/config.module b/core/modules/config/config.module index 4f31e08f7..874caac8b 100644 --- a/core/modules/config/config.module +++ b/core/modules/config/config.module @@ -65,14 +65,17 @@ function config_file_download($uri) { $scheme = file_uri_scheme($uri); $target = file_uri_target($uri); if ($scheme == 'temporary' && $target == 'config.tar.gz') { - $request = \Drupal::request(); - $date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME')); - $date_string = $date->format('Y-m-d-H-i'); - $hostname = str_replace('.', '-', $request->getHttpHost()); - $filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz'; - $disposition = 'attachment; filename="' . $filename . '"'; - return array( - 'Content-disposition' => $disposition, - ); + if (\Drupal::currentUser()->hasPermission('export configuration')) { + $request = \Drupal::request(); + $date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME')); + $date_string = $date->format('Y-m-d-H-i'); + $hostname = str_replace('.', '-', $request->getHttpHost()); + $filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz'; + $disposition = 'attachment; filename="' . $filename . '"'; + return array( + 'Content-disposition' => $disposition, + ); + } + return -1; } } diff --git a/core/modules/config/src/Tests/ConfigExportUITest.php b/core/modules/config/src/Tests/ConfigExportUITest.php index 095c58590..2f742ddad 100644 --- a/core/modules/config/src/Tests/ConfigExportUITest.php +++ b/core/modules/config/src/Tests/ConfigExportUITest.php @@ -88,6 +88,12 @@ class ConfigExportUITest extends WebTestBase { // Check the single export form doesn't have "form-required" elements. $this->drupalGet('admin/config/development/configuration/single/export'); $this->assertNoRaw('js-form-required form-required', 'No form required fields are found.'); + + // Ensure the temporary file is not available to users without the + // permission. + $this->drupalLogout(); + $this->drupalGet('system/temporary', ['query' => ['file' => 'config.tar.gz']]); + $this->assertResponse(403); } }