summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorxjm2016-06-15 14:59:07 -0500
committerxjm2016-06-15 15:08:27 -0500
commita87557fde744444c0f7f5344d4f82b721a65717e (patch)
tree2dd8b0162ee66fcffec105e743f65789ecff0c6d
parent6204be67bb3c1a0b64991770c27b62dbadb15007 (diff)
Drupal 8.1.3, SA-CORE-2016-002 by catch, dawehner, dsnopek, greggles, Plazik, stefan.r, xjm, klausi, mlhess8.1.3
-rw-r--r--core/CHANGELOG.txt4
-rw-r--r--core/lib/Drupal.php2
-rw-r--r--core/modules/statistics/config/schema/statistics.views.schema.yml9
-rw-r--r--core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php24
-rw-r--r--core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php24
-rw-r--r--core/modules/statistics/src/Tests/Views/IntegrationTest.php21
-rw-r--r--core/modules/statistics/statistics.views.inc6
7 files changed, 83 insertions, 7 deletions
diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt
index a632835..64ad167 100644
--- a/core/CHANGELOG.txt
+++ b/core/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 8.1.3, 2016-06-15
+------------------------
+- Fixed security issue. SA-CORE-2016-002.
+
Drupal 8.1.0, 2016-04-20
------------------------
- Removed Composer-managed vendor from the git repository:
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index 9dc7c5f..7b36706 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -81,7 +81,7 @@ class Drupal {
/**
* The current system version.
*/
- const VERSION = '8.1.2';
+ const VERSION = '8.1.3';
/**
* Core API compatibility.
diff --git a/core/modules/statistics/config/schema/statistics.views.schema.yml b/core/modules/statistics/config/schema/statistics.views.schema.yml
new file mode 100644
index 0000000..31a3325
--- /dev/null
+++ b/core/modules/statistics/config/schema/statistics.views.schema.yml
@@ -0,0 +1,9 @@
+# Schema for the views plugins of the Statistics module.
+
+views.field.statistics_numeric:
+ type: views.field.numeric
+ label: 'Numeric values from the statistics module'
+
+views.field.node_counter_timestamp:
+ type: views.field.date
+ label: 'The most recent time the node has been viewed'
diff --git a/core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php b/core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php
new file mode 100644
index 0000000..fb0eb30
--- /dev/null
+++ b/core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Drupal\statistics\Plugin\views\field;
+
+use Drupal\views\Plugin\views\field\Date;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Field handler to display the most recent time the node has been viewed.
+ *
+ * @ingroup views_field_handlers
+ *
+ * @ViewsField("node_counter_timestamp")
+ */
+class NodeCounterTimestamp extends Date {
+
+ /**
+ * {@inheritdoc}
+ */
+ public function access(AccountInterface $account) {
+ return $account->hasPermission('view post access counter');
+ }
+
+}
diff --git a/core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php b/core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php
new file mode 100644
index 0000000..a425b31
--- /dev/null
+++ b/core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Drupal\statistics\Plugin\views\field;
+
+use Drupal\views\Plugin\views\field\NumericField;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Field handler to display numeric values from the statistics module.
+ *
+ * @ingroup views_field_handlers
+ *
+ * @ViewsField("statistics_numeric")
+ */
+class StatisticsNumeric extends NumericField {
+
+ /**
+ * {@inheritdoc}
+ */
+ public function access(AccountInterface $account) {
+ return $account->hasPermission('view post access counter');
+ }
+
+}
diff --git a/core/modules/statistics/src/Tests/Views/IntegrationTest.php b/core/modules/statistics/src/Tests/Views/IntegrationTest.php
index 4882fd2..07380c8 100644
--- a/core/modules/statistics/src/Tests/Views/IntegrationTest.php
+++ b/core/modules/statistics/src/Tests/Views/IntegrationTest.php
@@ -47,8 +47,11 @@ class IntegrationTest extends ViewTestBase {
ViewTestData::createTestViews(get_class($this), array('statistics_test_views'));
- // Create a new user for viewing nodes.
- $this->webUser = $this->drupalCreateUser(array('access content'));
+ // Create a new user for viewing nodes and statistics.
+ $this->webUser = $this->drupalCreateUser(array('access content', 'view post access counter'));
+
+ // Create a new user for viewing nodes only.
+ $this->deniedUser = $this->drupalCreateUser(array('access content'));
$this->drupalCreateContentType(array('type' => 'page'));
$this->node = $this->drupalCreateNode(array('type' => 'page'));
@@ -59,13 +62,14 @@ class IntegrationTest extends ViewTestBase {
->set('count_content_views', 1)
->save();
- $this->drupalLogin($this->webUser);
}
/**
* Tests the integration of the {node_counter} table in views.
*/
public function testNodeCounterIntegration() {
+ $this->drupalLogin($this->webUser);
+
$this->drupalGet('node/' . $this->node->id());
// Manually calling statistics.php, simulating ajax behavior.
// @see \Drupal\statistics\Tests\StatisticsLoggingTest::testLogging().
@@ -84,6 +88,17 @@ class IntegrationTest extends ViewTestBase {
$xpath = "//div[contains(@class, views-field-$field)]/span[@class = 'field-content']";
$this->assertFieldByXpath($xpath, $value, "The $field output matches the expected.");
}
+
+ $this->drupalLogout();
+ $this->drupalLogin($this->deniedUser);
+ $this->drupalGet('test_statistics_integration');
+ $this->assertResponse(200);
+
+ foreach ($expected as $field => $value) {
+ $xpath = "//div[contains(@class, views-field-$field)]/span[@class = 'field-content']";
+ $this->assertNoFieldByXpath($xpath, $value, "The $field output is not displayed.");
+ }
+
}
}
diff --git a/core/modules/statistics/statistics.views.inc b/core/modules/statistics/statistics.views.inc
index c3fdaa1..e851251 100644
--- a/core/modules/statistics/statistics.views.inc
+++ b/core/modules/statistics/statistics.views.inc
@@ -22,7 +22,7 @@ function statistics_views_data() {
'title' => t('Total views'),
'help' => t('The total number of times the node has been viewed.'),
'field' => array(
- 'id' => 'numeric',
+ 'id' => 'statistics_numeric',
'click sortable' => TRUE,
),
'filter' => array(
@@ -40,7 +40,7 @@ function statistics_views_data() {
'title' => t('Views today'),
'help' => t('The total number of times the node has been viewed today.'),
'field' => array(
- 'id' => 'numeric',
+ 'id' => 'statistics_numeric',
'click sortable' => TRUE,
),
'filter' => array(
@@ -58,7 +58,7 @@ function statistics_views_data() {
'title' => t('Most recent view'),
'help' => t('The most recent time the node has been viewed.'),
'field' => array(
- 'id' => 'date',
+ 'id' => 'node_counter_timestamp',
'click sortable' => TRUE,
),
'filter' => array(