diff --git a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php index 4049f865b32d98c80e0220ce9920180e7110cbca..4737e8031a4854e20de698f6512b9c027530b948 100644 --- a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php +++ b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php @@ -188,13 +188,16 @@ public function onException(GetResponseForExceptionEvent $event) { if (!method_exists($this, $method)) { if ($exception instanceof HttpExceptionInterface) { $this->onFormatUnknown($event); + $response = $event->getResponse(); + $response->headers->set('Content-Type', 'text/plain'); } else { $this->onHtml($event); } - return; } - $this->$method($event); + else { + $this->$method($event); + } } /** diff --git a/core/modules/comment/src/CommentFieldItemList.php b/core/modules/comment/src/CommentFieldItemList.php index de00c7d71d81758472a41d556ae9df8409cf872f..7a4cdad4e6d82ef9d0e7cda048dd13a76684163e 100644 --- a/core/modules/comment/src/CommentFieldItemList.php +++ b/core/modules/comment/src/CommentFieldItemList.php @@ -2,7 +2,9 @@ namespace Drupal\comment; +use Drupal\Core\Access\AccessResult; use Drupal\Core\Field\FieldItemList; +use Drupal\Core\Session\AccountInterface; /** * Defines a item list class for comment fields. @@ -37,4 +39,28 @@ public function offsetExists($offset) { return parent::offsetExists($offset); } + /** + * {@inheritdoc} + */ + public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE) { + if ($operation === 'edit') { + // Only users with administer comments permission can edit the comment + // status field. + $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'administer comments'); + return $return_as_object ? $result : $result->isAllowed(); + } + if ($operation === 'view') { + // Only users with either post comments or access comments permisison can + // view the field value. The formatter, + // Drupal\comment\Plugin\Field\FieldFormatter\CommentDefaultFormatter, + // takes care of showing the thread and form based on individual + // permissions, so if a user only has ‘post comments’ access, only the + // form will be shown and not the comments. + $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'access comments') + ->orIf(AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'post comments')); + return $return_as_object ? $result : $result->isAllowed(); + } + return parent::access($operation, $account, $return_as_object); + } + } diff --git a/core/modules/comment/src/Tests/CommentNonNodeTest.php b/core/modules/comment/src/Tests/CommentNonNodeTest.php index 1b37c1f79cffa61356808760066c78ec14350af6..e43e0bc42a604ff16027cdad2a67d0c772645c3e 100644 --- a/core/modules/comment/src/Tests/CommentNonNodeTest.php +++ b/core/modules/comment/src/Tests/CommentNonNodeTest.php @@ -384,6 +384,7 @@ function testCommentFunctionality() { 'administer entity_test fields', 'view test entity', 'administer entity_test content', + 'administer comments', )); $this->drupalLogin($limited_user); $this->drupalGet('entity_test/structure/entity_test/fields/entity_test.entity_test.comment'); diff --git a/core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php b/core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php new file mode 100644 index 0000000000000000000000000000000000000000..504b3bacf6714ae09b3c24458df415d638aba9ee --- /dev/null +++ b/core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php @@ -0,0 +1,100 @@ + 'article', + 'name' => t('Article'), + ]); + $node_type->save(); + $this->nodeAuthor = $this->drupalCreateUser([ + 'create article content', + 'skip comment approval', + 'post comments', + 'edit own comments', + 'access comments', + 'administer nodes', + ]); + $this->commentAdmin = $this->drupalCreateUser([ + 'administer comments', + 'create article content', + 'edit own comments', + 'skip comment approval', + 'post comments', + 'access comments', + 'administer nodes', + ]); + $this->addDefaultCommentField('node', 'article'); + } + + /** + * Tests comment status field access. + */ + public function testCommentStatusFieldAccessStatus() { + $this->drupalLogin($this->nodeAuthor); + $this->drupalGet('node/add/article'); + $assert = $this->assertSession(); + $assert->fieldNotExists('comment[0][status]'); + $this->submitForm([ + 'title[0][value]' => 'Node 1', + ], t('Save and publish')); + $assert->fieldExists('subject[0][value]'); + $this->drupalLogin($this->commentAdmin); + $this->drupalGet('node/add/article'); + $assert->fieldExists('comment[0][status]'); + $this->submitForm([ + 'title[0][value]' => 'Node 2', + ], t('Save and publish')); + $assert->fieldExists('subject[0][value]'); + } + +} diff --git a/core/modules/config/config.module b/core/modules/config/config.module index 4f31e08f7bfabfdc7b4323c57895bc8f4a72504b..874caac8b5f49b07cb85e5e18d2ec933cffb35f3 100644 --- a/core/modules/config/config.module +++ b/core/modules/config/config.module @@ -65,14 +65,17 @@ function config_file_download($uri) { $scheme = file_uri_scheme($uri); $target = file_uri_target($uri); if ($scheme == 'temporary' && $target == 'config.tar.gz') { - $request = \Drupal::request(); - $date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME')); - $date_string = $date->format('Y-m-d-H-i'); - $hostname = str_replace('.', '-', $request->getHttpHost()); - $filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz'; - $disposition = 'attachment; filename="' . $filename . '"'; - return array( - 'Content-disposition' => $disposition, - ); + if (\Drupal::currentUser()->hasPermission('export configuration')) { + $request = \Drupal::request(); + $date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME')); + $date_string = $date->format('Y-m-d-H-i'); + $hostname = str_replace('.', '-', $request->getHttpHost()); + $filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz'; + $disposition = 'attachment; filename="' . $filename . '"'; + return array( + 'Content-disposition' => $disposition, + ); + } + return -1; } } diff --git a/core/modules/config/src/Tests/ConfigExportUITest.php b/core/modules/config/src/Tests/ConfigExportUITest.php index 095c585904b9cdf0e736b70cb516059cc810f472..2f742ddad5da7e918eeab8f544b5fad6e1f12583 100644 --- a/core/modules/config/src/Tests/ConfigExportUITest.php +++ b/core/modules/config/src/Tests/ConfigExportUITest.php @@ -88,6 +88,12 @@ function testExport() { // Check the single export form doesn't have "form-required" elements. $this->drupalGet('admin/config/development/configuration/single/export'); $this->assertNoRaw('js-form-required form-required', 'No form required fields are found.'); + + // Ensure the temporary file is not available to users without the + // permission. + $this->drupalLogout(); + $this->drupalGet('system/temporary', ['query' => ['file' => 'config.tar.gz']]); + $this->assertResponse(403); } }