diff --git a/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php b/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php index a58cf89..2d2f353 100644 --- a/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php +++ b/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php @@ -149,17 +149,13 @@ public function patch($id, EntityInterface $entity = NULL) { // Overwrite the received properties. foreach ($entity as $field_name => $field) { if (isset($entity->{$field_name})) { - if (empty($entity->{$field_name})) { - if (!$original_entity->get($field_name)->access('delete')) { - throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name))); - } - } - else { - if (!$original_entity->get($field_name)->access('update')) { - throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name))); - } + if ($field->isEmpty() && !$original_entity->get($field_name)->access('delete')) { + throw new AccessDeniedHttpException(t('Access denied on deleting field @field.', array('@field' => $field_name))); } $original_entity->set($field_name, $field->getValue()); + if (!$original_entity->get($field_name)->access('update')) { + throw new AccessDeniedHttpException(t('Access denied on updating field @field.', array('@field' => $field_name))); + } } } diff --git a/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php b/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php index 0a75cb3..618f663 100644 --- a/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php +++ b/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php @@ -80,8 +80,16 @@ public function testCreate() { $this->assertResponse(403); $this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.'); - // Restore the valid test value. + // Try to create a field with a text format this user has no access to. $entity->field_test_text->value = $entity_values['field_test_text'][0]['value']; + $entity->field_test_text->format = 'full_html'; + $serialized = $serializer->serialize($entity, $this->defaultFormat); + $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType); + $this->assertResponse(403); + $this->assertFalse(entity_load_multiple($entity_type, NULL, TRUE), 'No entity has been created in the database.'); + + // Restore the valid test value. + $entity->field_test_text->format = 'plain_text'; $serialized = $serializer->serialize($entity, $this->defaultFormat); } diff --git a/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php b/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php index b417f2a..827d7a4 100644 --- a/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php +++ b/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php @@ -51,7 +51,10 @@ public function testPatchUpdate() { $entity->save(); // Create a second stub entity for overwriting a field. - $patch_values['field_test_text'] = array(0 => array('value' => $this->randomString())); + $patch_values['field_test_text'] = array(0 => array( + 'value' => $this->randomString(), + 'format' => 'plain_text', + )); $patch_entity = entity_create($entity_type, $patch_values); // We don't want to overwrite the UUID. unset($patch_entity->uuid); @@ -90,7 +93,8 @@ public function testPatchUpdate() { // Enable access protection for the text field. // @see entity_test_entity_field_access() - $entity->field_test_text->value = 'no access value'; + $entity->field_test_text->value = 'no delete access value'; + $entity->field_test_text->format = 'plain_text'; $entity->save(); // Try to empty a field that is access protected. @@ -99,16 +103,26 @@ public function testPatchUpdate() { // Re-load the entity from the database. $entity = entity_load($entity_type, $entity->id(), TRUE); - $this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.'); + $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not deleted.'); // Try to update an access protected field. + $patch_entity->get('field_test_text')->value = 'no access value'; $serialized = $serializer->serialize($patch_entity, $this->defaultFormat); $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType); $this->assertResponse(403); // Re-load the entity from the database. $entity = entity_load($entity_type, $entity->id(), TRUE); - $this->assertEqual($entity->field_test_text->value, 'no access value', 'Text field was not updated.'); + $this->assertEqual($entity->field_test_text->value, 'no delete access value', 'Text field was not updated.'); + + // Try to update the field with a text format this user has no access to. + $patch_entity->set('field_test_text', array( + 'value' => 'test', + 'format' => 'full_html', + )); + $serialized = $serializer->serialize($patch_entity, $this->defaultFormat); + $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', $serialized, $this->defaultMimeType); + $this->assertResponse(403); // Restore the valid test value. $entity->field_test_text->value = $this->randomString(); diff --git a/core/modules/text/lib/Drupal/text/TextField.php b/core/modules/text/lib/Drupal/text/TextField.php index 2f6bbe2..4b7d239 100644 --- a/core/modules/text/lib/Drupal/text/TextField.php +++ b/core/modules/text/lib/Drupal/text/TextField.php @@ -19,8 +19,13 @@ class TextField extends ConfigField { * {@inheritdoc} */ public function defaultAccess($operation = 'view', AccountInterface $account = NULL) { + // We are only interested in write operations that set a text format. if ($operation != 'create' && $operation != 'update') { - return; + return TRUE; + } + // Empty fields don't have a format set, so this is allowed. + if ($this->isEmpty()) { + return TRUE; } if ($account == NULL) { $account = \Drupal::request()->attributes->get('_account');