<?php
 
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
   
// Handle special cases up front. All users have access to the fallback
    // format.
   
if ($entity->isFallbackFormat()) {
      return
TRUE;
    }
   
// ...
 
}
?>

These are the first lines of FilterFormatAccessController::checkAccess(). As long as the format is the fallback, any operation by any user is allowed on it. Because nothing uses this code yet, this is not a security bug right now, but it will become one in the future as we will need to make routes use entity access, for instance.
Files: 
CommentFileSizeAuthor
#9 interdiff.txt446 bytesXano
#7 interdiff.txt0 bytesXano
#7 drupal_2095693_7.patch1.59 KBXano
PASSED: [[SimpleTest]]: [MySQL] 58,264 pass(es).
[ View ]
#4 filter-2095693-4.patch1.64 KBtim.plunkett
FAILED: [[SimpleTest]]: [MySQL] 58,696 pass(es), 6 fail(s), and 287 exception(s).
[ View ]
#2 drupal_2095693_2.patch2.52 KBXano
FAILED: [[SimpleTest]]: [MySQL] 58,872 pass(es), 6 fail(s), and 287 exception(s).
[ View ]
#1 drupal_2095693_1.patch1.78 KBXano
FAILED: [[SimpleTest]]: [MySQL] Setup environment: Test cancelled by admin prior to completion.
[ View ]

Comments

Assigned:Xano» Unassigned
Status:Active» Needs review
StatusFileSize
new1.78 KB
FAILED: [[SimpleTest]]: [MySQL] Setup environment: Test cancelled by admin prior to completion.
[ View ]

There were a problems with a few operations as well, so I restructured the code so it's much easier to see what happens.

StatusFileSize
new2.52 KB
FAILED: [[SimpleTest]]: [MySQL] 58,872 pass(es), 6 fail(s), and 287 exception(s).
[ View ]

Status:Needs review» Needs work

The last submitted patch, drupal_2095693_2.patch, failed testing.

Status:Needs work» Needs review
StatusFileSize
new1.64 KB
FAILED: [[SimpleTest]]: [MySQL] 58,696 pass(es), 6 fail(s), and 287 exception(s).
[ View ]

I'd either clean up the entire method (like #2), or fix the problem here and make the method readable in another issue. #4 fixes the problem and cleans up only part of the method.

Status:Needs review» Needs work

The last submitted patch, filter-2095693-4.patch, failed testing.

Status:Needs work» Needs review
StatusFileSize
new1.59 KB
PASSED: [[SimpleTest]]: [MySQL] 58,264 pass(es).
[ View ]
new0 bytes

Empty interdiff...

StatusFileSize
new446 bytes

Meh.

Status:Needs review» Reviewed & tested by the community

Oh, nice :)

Now we have fixed this, #2101119: Convert Filter routes to use entity access instead of permissions converts routes to use entity access.

#7: drupal_2095693_7.patch queued for re-testing.

Status:Reviewed & tested by the community» Fixed

Much better. Committed/pushed to 8.x, thanks!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.