protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
    // Handle special cases up front. All users have access to the fallback
    // format.
    if ($entity->isFallbackFormat()) {
      return TRUE;
    }
    // ...
  }

These are the first lines of FilterFormatAccessController::checkAccess(). As long as the format is the fallback, any operation by any user is allowed on it. Because nothing uses this code yet, this is not a security bug right now, but it will become one in the future as we will need to make routes use entity access, for instance.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Xano’s picture

Assigned: Xano » Unassigned
Status: Active » Needs review
FileSize
1.78 KB

There were a problems with a few operations as well, so I restructured the code so it's much easier to see what happens.

Xano’s picture

FileSize
2.52 KB

Status: Needs review » Needs work

The last submitted patch, drupal_2095693_2.patch, failed testing.

tim.plunkett’s picture

Status: Needs work » Needs review
FileSize
1.64 KB
Xano’s picture

I'd either clean up the entire method (like #2), or fix the problem here and make the method readable in another issue. #4 fixes the problem and cleans up only part of the method.

Status: Needs review » Needs work

The last submitted patch, filter-2095693-4.patch, failed testing.

Xano’s picture

Status: Needs work » Needs review
FileSize
1.59 KB
0 bytes
tim.plunkett’s picture

Empty interdiff...

Xano’s picture

FileSize
446 bytes

Meh.

tim.plunkett’s picture

Status: Needs review » Reviewed & tested by the community

Oh, nice :)

Xano’s picture

Now we have fixed this, #2101119: Convert Filter routes to use entity access instead of permissions converts routes to use entity access.

Xano’s picture

#7: drupal_2095693_7.patch queued for re-testing.

catch’s picture

Status: Reviewed & tested by the community » Fixed

Much better. Committed/pushed to 8.x, thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.