summaryrefslogtreecommitdiffstats
path: root/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
diff options
context:
space:
mode:
authorAlex Pott2015-03-31 23:46:24 +0100
committerAlex Pott2015-03-31 23:46:24 +0100
commit3c0892d082db2fd872212ff36e1ce1bf1a9bc0ab (patch)
treee92e98719bca6450b32ea2d230fb99231598258d /core/modules/rest/src/Plugin/rest/resource/EntityResource.php
parented89a08f257e12432dd56514a47d053b5a8b47ea (diff)
Issue #2418119 by Berdir, jhedstrom, larowlan, martin107, nlisgo, klausi, fago, Gábor Hojtsy: REST user updates bypass tightened user account change validation
Diffstat (limited to 'core/modules/rest/src/Plugin/rest/resource/EntityResource.php')
-rw-r--r--core/modules/rest/src/Plugin/rest/resource/EntityResource.php8
1 files changed, 3 insertions, 5 deletions
diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index 67dec06..b07f3e6 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -145,13 +145,11 @@ class EntityResource extends ResourceBase {
if ($field_name == $langcode_key && $field->isEmpty()) {
continue;
}
- if ($field->isEmpty() && !$original_entity->get($field_name)->access('delete')) {
- throw new AccessDeniedHttpException(SafeMarkup::format('Access denied on deleting field @field.', array('@field' => $field_name)));
- }
- $original_entity->set($field_name, $field->getValue());
- if (!$original_entity->get($field_name)->access('update')) {
+
+ if (!$original_entity->get($field_name)->access('edit')) {
throw new AccessDeniedHttpException(SafeMarkup::format('Access denied on updating field @field.', array('@field' => $field_name)));
}
+ $original_entity->set($field_name, $field->getValue());
}
// Validate the received data before saving.