summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Pott2014-11-25 21:50:07 (GMT)
committerAlex Pott2014-11-25 21:50:07 (GMT)
commited01f40c921331c7a6e288d7261a8a114982fe66 (patch)
treebf2e962e91be6d7374811c463cad29fe9e5a9efc
parent40a7440d6b7133edd4cf737e55f5e371af0b59a3 (diff)
Issue #2157541 by dawehner, penyaskito, tim.plunkett, Désiré: Views sets access to ANY on routes - could result in information disclosure
-rw-r--r--core/modules/user/src/PermissionHandler.php6
-rw-r--r--core/modules/user/src/Plugin/views/access/Permission.php4
-rw-r--r--core/modules/user/src/Plugin/views/access/Role.php4
-rw-r--r--core/modules/user/src/Tests/Views/AccessPermissionTest.php1
-rw-r--r--core/modules/user/src/Tests/Views/AccessRoleTest.php5
-rw-r--r--core/modules/user/src/Tests/Views/AccessTestBase.php8
-rw-r--r--core/modules/views/src/Plugin/views/display/DisplayPluginBase.php5
-rw-r--r--core/modules/views/src/Plugin/views/display/PathPluginBase.php3
-rw-r--r--core/modules/views/src/Tests/Plugin/AccessTest.php2
-rw-r--r--core/modules/views/src/ViewsAccessCheck.php42
-rw-r--r--core/modules/views/views.permissions.yml4
-rw-r--r--core/modules/views/views.services.yml4
12 files changed, 7 insertions, 81 deletions
diff --git a/core/modules/user/src/PermissionHandler.php b/core/modules/user/src/PermissionHandler.php
index 0ec4eee..d41b05e 100644
--- a/core/modules/user/src/PermissionHandler.php
+++ b/core/modules/user/src/PermissionHandler.php
@@ -19,10 +19,10 @@ use Drupal\Core\StringTranslation\TranslationInterface;
* To define permissions you can use a $module.permissions.yml file:
*
* @code
- * access all views:
- * title: 'Bypass views access control'
- * description: 'Bypass access control when accessing views.'
+ * administer permissions:
+ * title: Administer permissions
* restrict access: true
+ * description: some description
* @endcode
*/
class PermissionHandler implements PermissionHandlerInterface {
diff --git a/core/modules/user/src/Plugin/views/access/Permission.php b/core/modules/user/src/Plugin/views/access/Permission.php
index 47bbd09..e7c4691 100644
--- a/core/modules/user/src/Plugin/views/access/Permission.php
+++ b/core/modules/user/src/Plugin/views/access/Permission.php
@@ -73,7 +73,7 @@ class Permission extends AccessPluginBase {
* {@inheritdoc}
*/
public function access(AccountInterface $account) {
- return $account->hasPermission($this->options['perm']) || $account->hasPermission('access all views');
+ return $account->hasPermission($this->options['perm']);
}
/**
@@ -118,7 +118,7 @@ class Permission extends AccessPluginBase {
'#options' => $perms,
'#title' => $this->t('Permission'),
'#default_value' => $this->options['perm'],
- '#description' => $this->t('Only users with the selected permission flag will be able to access this display. Note that users with "access all views" can see any view, regardless of other permissions.'),
+ '#description' => $this->t('Only users with the selected permission flag will be able to access this display.'),
);
}
diff --git a/core/modules/user/src/Plugin/views/access/Role.php b/core/modules/user/src/Plugin/views/access/Role.php
index a32cd65..d821b11 100644
--- a/core/modules/user/src/Plugin/views/access/Role.php
+++ b/core/modules/user/src/Plugin/views/access/Role.php
@@ -35,7 +35,7 @@ class Role extends AccessPluginBase {
* {@inheritdoc}
*/
public function access(AccountInterface $account) {
- return $account->hasPermission('access all views') || array_intersect(array_filter($this->options['role']), $account->getRoles());
+ return array_intersect(array_filter($this->options['role']), $account->getRoles());
}
/**
@@ -77,7 +77,7 @@ class Role extends AccessPluginBase {
'#title' => $this->t('Role'),
'#default_value' => $this->options['role'],
'#options' => array_map('\Drupal\Component\Utility\String::checkPlain', user_role_names()),
- '#description' => $this->t('Only the checked roles will be able to access this display. Note that users with "access all views" can see any view, regardless of role.'),
+ '#description' => $this->t('Only the checked roles will be able to access this display.'),
);
}
diff --git a/core/modules/user/src/Tests/Views/AccessPermissionTest.php b/core/modules/user/src/Tests/Views/AccessPermissionTest.php
index da8c911..aaa1daf 100644
--- a/core/modules/user/src/Tests/Views/AccessPermissionTest.php
+++ b/core/modules/user/src/Tests/Views/AccessPermissionTest.php
@@ -36,7 +36,6 @@ class AccessPermissionTest extends AccessTestBase {
$this->assertTrue($access_plugin instanceof Permission, 'Make sure the right class got instantiated.');
$this->assertEqual($access_plugin->pluginTitle(), t('Permission'));
- $this->assertTrue($view->display_handler->access($this->adminUser), 'Admin-Account should be able to access the view everytime');
$this->assertFalse($view->display_handler->access($this->webUser));
$this->assertTrue($view->display_handler->access($this->normalUser));
}
diff --git a/core/modules/user/src/Tests/Views/AccessRoleTest.php b/core/modules/user/src/Tests/Views/AccessRoleTest.php
index 0f06ae2..b4086bd 100644
--- a/core/modules/user/src/Tests/Views/AccessRoleTest.php
+++ b/core/modules/user/src/Tests/Views/AccessRoleTest.php
@@ -46,14 +46,9 @@ class AccessRoleTest extends AccessTestBase {
$this->assertTrue($access_plugin instanceof Role, 'Make sure the right class got instantiated.');
// Test the access() method on the access plugin.
- $this->assertTrue($executable->display_handler->access($this->adminUser), 'Admin-Account should be able to access the view everytime');
$this->assertFalse($executable->display_handler->access($this->webUser));
$this->assertTrue($executable->display_handler->access($this->normalUser));
- $this->drupalLogin($this->adminUser);
- $this->drupalGet('test-role');
- $this->assertResponse(200);
-
$this->drupalLogin($this->webUser);
$this->drupalGet('test-role');
$this->assertResponse(403);
diff --git a/core/modules/user/src/Tests/Views/AccessTestBase.php b/core/modules/user/src/Tests/Views/AccessTestBase.php
index 5fac787..7777b13 100644
--- a/core/modules/user/src/Tests/Views/AccessTestBase.php
+++ b/core/modules/user/src/Tests/Views/AccessTestBase.php
@@ -13,13 +13,6 @@ namespace Drupal\user\Tests\Views;
abstract class AccessTestBase extends UserTestBase {
/**
- * Contains a user object that can access all views.
- *
- * @var \Drupal\user\UserInterface
- */
- protected $adminUser;
-
- /**
* Contains a user object that has no special permissions.
*
* @var \Drupal\user\UserInterface
@@ -52,7 +45,6 @@ abstract class AccessTestBase extends UserTestBase {
$this->enableViewsTestModule();
- $this->adminUser = $this->drupalCreateUser(array('access all views'));
$this->webUser = $this->drupalCreateUser();
$roles = $this->webUser->getRoles();
$this->webRole = $roles[0];
diff --git a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
index 04b3b78..7386c00 100644
--- a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
+++ b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
@@ -2251,11 +2251,6 @@ abstract class DisplayPluginBase extends PluginBase {
$account = \Drupal::currentUser();
}
- // Full override.
- if ($account->hasPermission('access all views')) {
- return TRUE;
- }
-
$plugin = $this->getPlugin('access');
/** @var \Drupal\views\Plugin\views\access\AccessPluginBase $plugin */
if ($plugin) {
diff --git a/core/modules/views/src/Plugin/views/display/PathPluginBase.php b/core/modules/views/src/Plugin/views/display/PathPluginBase.php
index 2d7e550..fd93c3c 100644
--- a/core/modules/views/src/Plugin/views/display/PathPluginBase.php
+++ b/core/modules/views/src/Plugin/views/display/PathPluginBase.php
@@ -200,9 +200,6 @@ abstract class PathPluginBase extends DisplayPluginBase implements DisplayRouter
$access_plugin = Views::pluginManager('access')->createInstance('none');
}
$access_plugin->alterRouteDefinition($route);
- // @todo Figure out whether _access_mode ANY is the proper one. This is
- // particular important for altering routes.
- $route->setOption('_access_mode', AccessManagerInterface::ACCESS_MODE_ANY);
// Set the argument map, in order to support named parameters.
$route->setOption('_view_argument_map', $argument_map);
diff --git a/core/modules/views/src/Tests/Plugin/AccessTest.php b/core/modules/views/src/Tests/Plugin/AccessTest.php
index 9f5f59e..0bdec9e 100644
--- a/core/modules/views/src/Tests/Plugin/AccessTest.php
+++ b/core/modules/views/src/Tests/Plugin/AccessTest.php
@@ -40,7 +40,6 @@ class AccessTest extends PluginTestBase {
ViewTestData::createTestViews(get_class($this), array('views_test_data'));
- $this->admin_user = $this->drupalCreateUser(array('access all views'));
$this->web_user = $this->drupalCreateUser();
$roles = $this->web_user->getRoles();
$this->web_role = $roles[0];
@@ -59,7 +58,6 @@ class AccessTest extends PluginTestBase {
$view = Views::getView('test_access_none');
$view->setDisplay();
- $this->assertTrue($view->display_handler->access($this->admin_user), 'Admin-Account should be able to access the view everytime');
$this->assertTrue($view->display_handler->access($this->web_user));
$this->assertTrue($view->display_handler->access($this->normal_user));
}
diff --git a/core/modules/views/src/ViewsAccessCheck.php b/core/modules/views/src/ViewsAccessCheck.php
deleted file mode 100644
index 62f68a6..0000000
--- a/core/modules/views/src/ViewsAccessCheck.php
+++ /dev/null
@@ -1,42 +0,0 @@
-<?php
-
-/**
- * @file
- * Contains \Drupal\views\ViewsAccessCheck.
- */
-
-namespace Drupal\views;
-
-use Drupal\Core\Access\AccessCheckInterface;
-use Drupal\Core\Access\AccessResult;
-use Drupal\Core\Session\AccountInterface;
-use Symfony\Component\Routing\Route;
-
-/**
- * Defines a route access checker for the _access_all_views permission.
- *
- * @todo We could leverage the permission one as well?
- */
-class ViewsAccessCheck implements AccessCheckInterface {
-
- /**
- * {@inheritdoc}
- */
- public function applies(Route $route) {
- return $route->hasDefault('view_id');
- }
-
- /**
- * Checks access.
- *
- * @param \Drupal\Core\Session\AccountInterface $account
- * The currently logged in account.
- *
- * @return \Drupal\Core\Access\AccessResultInterface
- * The access result.
- */
- public function access(AccountInterface $account) {
- return AccessResult::allowedIfHasPermission($account, 'access all views');
- }
-
-}
diff --git a/core/modules/views/views.permissions.yml b/core/modules/views/views.permissions.yml
deleted file mode 100644
index 7eb1a08..0000000
--- a/core/modules/views/views.permissions.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-access all views:
- title: 'Bypass views access control'
- description: 'Bypass access control when accessing views.'
- restrict access: true
diff --git a/core/modules/views/views.services.yml b/core/modules/views/views.services.yml
index b66568f..343e0b3 100644
--- a/core/modules/views/views.services.yml
+++ b/core/modules/views/views.services.yml
@@ -73,9 +73,5 @@ services:
arguments: ['@entity.manager', '@state']
tags:
- { name: 'event_subscriber' }
- views.route_access_check:
- class: Drupal\views\ViewsAccessCheck
- tags:
- - { name: 'access_check' }
views.exposed_form_cache:
class: Drupal\views\ExposedFormCache