Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
// Handle special cases up front. All users have access to the fallback
// format.
if ($entity->isFallbackFormat()) {
return TRUE;
}
// ...
}
These are the first lines of FilterFormatAccessController::checkAccess(). As long as the format is the fallback, any operation by any user is allowed on it. Because nothing uses this code yet, this is not a security bug right now, but it will become one in the future as we will need to make routes use entity access, for instance.
Comment | File | Size | Author |
---|---|---|---|
#9 | interdiff.txt | 446 bytes | Xano |
#7 | interdiff.txt | 0 bytes | Xano |
#7 | drupal_2095693_7.patch | 1.59 KB | Xano |
#4 | filter-2095693-4.patch | 1.64 KB | tim.plunkett |
#2 | drupal_2095693_2.patch | 2.52 KB | Xano |
Comments
Comment #1
XanoThere were a problems with a few operations as well, so I restructured the code so it's much easier to see what happens.
Comment #2
XanoComment #4
tim.plunkettComment #5
XanoI'd either clean up the entire method (like #2), or fix the problem here and make the method readable in another issue. #4 fixes the problem and cleans up only part of the method.
Comment #7
XanoComment #8
tim.plunkettEmpty interdiff...
Comment #9
XanoMeh.
Comment #10
tim.plunkettOh, nice :)
Comment #11
XanoNow we have fixed this, #2101119: Convert Filter routes to use entity access instead of permissions converts routes to use entity access.
Comment #12
Xano#7: drupal_2095693_7.patch queued for re-testing.
Comment #13
catchMuch better. Committed/pushed to 8.x, thanks!