Let's start to convert all calls to user_access() with the new AccountInterface::hasPermission() method.

Part of #2048171: [meta] Replace user_access() calls with $account->hasPermission() wherever possible.

Change records for this issue:

Files: 
CommentFileSizeAuthor
#7 2062021-remove-user_access-calls-7.patch4.09 KBrhm50
PASSED: [[SimpleTest]]: [MySQL] 58,062 pass(es).
[ View ]
#7 interdiff-2062021-5-7.txt409 bytesrhm50
#5 2062021-remove-user_access-calls-5.patch4.09 KBrhm50
PASSED: [[SimpleTest]]: [MySQL] 58,431 pass(es).
[ View ]
#5 interdiff-2062021-1-5.txt1.74 KBrhm50
#1 drupal-shortcut_php_replace_user_access.patch4.19 KBInternetDevels
FAILED: [[SimpleTest]]: [MySQL] 14,894 pass(es), 5,153 fail(s), and 303 exception(s).
[ View ]

Comments

StatusFileSize
new4.19 KB
FAILED: [[SimpleTest]]: [MySQL] 14,894 pass(es), 5,153 fail(s), and 303 exception(s).
[ View ]

Here is the patch.

Status:Active» Needs review

Status:Needs review» Needs work

The last submitted patch, drupal-shortcut_php_replace_user_access.patch, failed testing.

+++ b/core/modules/shortcut/shortcut.admin.inc
@@ -27,7 +27,7 @@
+  $user = Drupal::request()->attributes->get('_account');
+++ b/core/modules/shortcut/shortcut.module
@@ -11,7 +11,7 @@
+  $user = Drupal::request()->attributes->get('_account');
@@ -170,12 +170,13 @@ function shortcut_admin_paths() {
+  $account = Drupal::request()->attributes->get('_account');
@@ -194,14 +195,14 @@ function shortcut_set_edit_access($shortcut_set = NULL) {
+  $user = Drupal::request()->attributes->get('_account');;

Use Drupal::currentUser() service

Status:Needs work» Needs review
StatusFileSize
new1.74 KB
new4.09 KB
PASSED: [[SimpleTest]]: [MySQL] 58,431 pass(es).
[ View ]

Looks RTBC except one nitpick

+++ b/core/modules/shortcut/shortcut.admin.inc
@@ -27,7 +27,8 @@
function shortcut_set_switch($form, &$form_state, $account = NULL) {
-  global $user;
+  $user = Drupal::currentUser();
+  ¶<------

just a trailing white-space

StatusFileSize
new409 bytes
new4.09 KB
PASSED: [[SimpleTest]]: [MySQL] 58,062 pass(es).
[ View ]

Status:Needs review» Reviewed & tested by the community

Thanx for quick re-roll, patch is right! Usage in shortcut_set_switch_access() is right, explains bellow

+++ b/core/modules/shortcut/shortcut.module
@@ -195,14 +196,14 @@ function shortcut_set_edit_access($shortcut_set = NULL) {
function shortcut_set_switch_access($account = NULL) {
-  global $user;
+  $user = Drupal::currentUser();
...
-  if (user_access('administer shortcuts')) {
+  if ($user->hasPermission('administer shortcuts')) {
...
-  if (!user_access('switch shortcut sets')) {
+  if (!$user->hasPermission('switch shortcut sets')) {

That access check should happen against current user, the passed account here's for other purpose

Status:Reviewed & tested by the community» Fixed

Committed and pushed to 8.x. Thanks!

Manual testing is good. This issue just "updated" a broken access checker, which was being fixed in #1978952: Convert shortcut_set_add to a Controller

Automatically closed -- issue fixed for 2 weeks with no activity.