diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt index a632835ce89fd920114eb6b751aca9ba65fca657..64ad16798df190118cd481aa6d221ce2a894ff91 100644 --- a/core/CHANGELOG.txt +++ b/core/CHANGELOG.txt @@ -1,3 +1,7 @@ +Drupal 8.1.3, 2016-06-15 +------------------------ +- Fixed security issue. SA-CORE-2016-002. + Drupal 8.1.0, 2016-04-20 ------------------------ - Removed Composer-managed vendor from the git repository: diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php index 9dc7c5f8900da1edd7804da2692dcd4e181f9206..7b367069bb986537b4a8e8060459f8489b3785bb 100644 --- a/core/lib/Drupal.php +++ b/core/lib/Drupal.php @@ -81,7 +81,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '8.1.2'; + const VERSION = '8.1.3'; /** * Core API compatibility. diff --git a/core/modules/statistics/config/schema/statistics.views.schema.yml b/core/modules/statistics/config/schema/statistics.views.schema.yml new file mode 100644 index 0000000000000000000000000000000000000000..31a3325e11f3c6a48100bcad01de171182efc8dd --- /dev/null +++ b/core/modules/statistics/config/schema/statistics.views.schema.yml @@ -0,0 +1,9 @@ +# Schema for the views plugins of the Statistics module. + +views.field.statistics_numeric: + type: views.field.numeric + label: 'Numeric values from the statistics module' + +views.field.node_counter_timestamp: + type: views.field.date + label: 'The most recent time the node has been viewed' diff --git a/core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php b/core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php new file mode 100644 index 0000000000000000000000000000000000000000..fb0eb3049e57846584c82159359221e197825c83 --- /dev/null +++ b/core/modules/statistics/src/Plugin/views/field/NodeCounterTimestamp.php @@ -0,0 +1,24 @@ +hasPermission('view post access counter'); + } + +} diff --git a/core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php b/core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php new file mode 100644 index 0000000000000000000000000000000000000000..a425b31184b4e095e0497eba93afa7e6b2a036d9 --- /dev/null +++ b/core/modules/statistics/src/Plugin/views/field/StatisticsNumeric.php @@ -0,0 +1,24 @@ +hasPermission('view post access counter'); + } + +} diff --git a/core/modules/statistics/src/Tests/Views/IntegrationTest.php b/core/modules/statistics/src/Tests/Views/IntegrationTest.php index 4882fd2471ff45cac65af93c3eeac5d9112fbc05..07380c88922c2a66b4cb00e548a62cd06db25008 100644 --- a/core/modules/statistics/src/Tests/Views/IntegrationTest.php +++ b/core/modules/statistics/src/Tests/Views/IntegrationTest.php @@ -47,8 +47,11 @@ protected function setUp() { ViewTestData::createTestViews(get_class($this), array('statistics_test_views')); - // Create a new user for viewing nodes. - $this->webUser = $this->drupalCreateUser(array('access content')); + // Create a new user for viewing nodes and statistics. + $this->webUser = $this->drupalCreateUser(array('access content', 'view post access counter')); + + // Create a new user for viewing nodes only. + $this->deniedUser = $this->drupalCreateUser(array('access content')); $this->drupalCreateContentType(array('type' => 'page')); $this->node = $this->drupalCreateNode(array('type' => 'page')); @@ -59,13 +62,14 @@ protected function setUp() { ->set('count_content_views', 1) ->save(); - $this->drupalLogin($this->webUser); } /** * Tests the integration of the {node_counter} table in views. */ public function testNodeCounterIntegration() { + $this->drupalLogin($this->webUser); + $this->drupalGet('node/' . $this->node->id()); // Manually calling statistics.php, simulating ajax behavior. // @see \Drupal\statistics\Tests\StatisticsLoggingTest::testLogging(). @@ -84,6 +88,17 @@ public function testNodeCounterIntegration() { $xpath = "//div[contains(@class, views-field-$field)]/span[@class = 'field-content']"; $this->assertFieldByXpath($xpath, $value, "The $field output matches the expected."); } + + $this->drupalLogout(); + $this->drupalLogin($this->deniedUser); + $this->drupalGet('test_statistics_integration'); + $this->assertResponse(200); + + foreach ($expected as $field => $value) { + $xpath = "//div[contains(@class, views-field-$field)]/span[@class = 'field-content']"; + $this->assertNoFieldByXpath($xpath, $value, "The $field output is not displayed."); + } + } } diff --git a/core/modules/statistics/statistics.views.inc b/core/modules/statistics/statistics.views.inc index c3fdaa1ae10b5d9336d711e39ee436709ff27d30..e8512518819fcd434eb88fbfc56d931137976cbe 100644 --- a/core/modules/statistics/statistics.views.inc +++ b/core/modules/statistics/statistics.views.inc @@ -22,7 +22,7 @@ function statistics_views_data() { 'title' => t('Total views'), 'help' => t('The total number of times the node has been viewed.'), 'field' => array( - 'id' => 'numeric', + 'id' => 'statistics_numeric', 'click sortable' => TRUE, ), 'filter' => array( @@ -40,7 +40,7 @@ function statistics_views_data() { 'title' => t('Views today'), 'help' => t('The total number of times the node has been viewed today.'), 'field' => array( - 'id' => 'numeric', + 'id' => 'statistics_numeric', 'click sortable' => TRUE, ), 'filter' => array( @@ -58,7 +58,7 @@ function statistics_views_data() { 'title' => t('Most recent view'), 'help' => t('The most recent time the node has been viewed.'), 'field' => array( - 'id' => 'date', + 'id' => 'node_counter_timestamp', 'click sortable' => TRUE, ), 'filter' => array(