summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorxjm2017-04-19 11:45:53 -0500
committerxjm2017-04-19 11:47:05 -0500
commit5584502206df51f1d9a95faebf5131b091c23981 (patch)
treed2aeacf81c330adb647fa6ba70aeabb6bcd2fa99
parent52e19481d8f9ac4f6571a926d18d836d44d75d3d (diff)
parent75fde1e41e5555aacf0acba6370b11a4ec1a77d5 (diff)
Back to dev.8.2.x
-rw-r--r--core/CHANGELOG.txt4
-rw-r--r--core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php13
2 files changed, 17 insertions, 0 deletions
diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt
index 853260a..d823345 100644
--- a/core/CHANGELOG.txt
+++ b/core/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 8.2.8, 2017-04-19
+------------------------
+- Fixed security issues. See SA-CORE-2017-002.
+
Drupal 8.2.7, 2017-03-15
------------------------
- Fixed security issues. See SA-CORE-2017-001.
diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
index 1530693..86668bc 100644
--- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
@@ -303,6 +303,19 @@ class EntityAccessControlHandler extends EntityHandlerBase implements EntityAcce
// Get the default access restriction that lives within this field.
$default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed();
+ // Explicitly disallow changing the entity ID and entity UUID.
+ if ($operation === 'edit') {
+ if ($field_definition->getName() === $this->entityType->getKey('id')) {
+ return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed') : FALSE;
+ }
+ elseif ($field_definition->getName() === $this->entityType->getKey('uuid')) {
+ // UUIDs can be set when creating an entity.
+ if ($items && ($entity = $items->getEntity()) && !$entity->isNew()) {
+ return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE;
+ }
+ }
+ }
+
// Get the default access restriction as specified by the access control
// handler.
$entity_default = $this->checkFieldAccess($operation, $field_definition, $account, $items);