From 145350a6a55d898859a79ccfe7a2bd3b485adca2 Mon Sep 17 00:00:00 2001
From: Christoph Burschka <christoph@burschka.de>
Date: Mon, 7 Dec 2015 00:34:30 +0100
Subject: [PATCH] Issue #2629874: Add _entity_access to routes.

The entity access requirement needs to be explicitly defined
in the routes to block access to the edit/delete pages.

This patch also adds corresponding assertions to the test case.
---
 src/Tests/XBBCodeAdminTest.php | 8 ++++++--
 xbbcode.routing.yml            | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Tests/XBBCodeAdminTest.php b/src/Tests/XBBCodeAdminTest.php
index e04667e..cd9c817 100644
--- a/src/Tests/XBBCodeAdminTest.php
+++ b/src/Tests/XBBCodeAdminTest.php
@@ -96,12 +96,16 @@ class XBBCodeAdminTest extends WebTestBase {
     $this->assertText('Test Tag Description');
     $this->assertText('[test_tag]Content[/test_tag]');
 
-    // Check that the tag can't be deleted.
+    // Check that the tag can't be edited or deleted.
     $this->assertNoLinkByHref('admin/config/content/xbbcode/tags/manage/test_tag_id');
     $this->assertNoLinkByHref('admin/config/content/xbbcode/tags/manage/test_tag_id/delete');
+    $this->drupalGet('admin/config/content/xbbcode/tags/manage/test_tag_id');
+    $this->assertResponse(403);
+    $this->drupalGet('admin/config/content/xbbcode/tags/manage/test_tag_id/delete');
+    $this->assertResponse(403);
 
+    $this->drupalGet('admin/config/content/xbbcode/tags');
     $this->clickLink('Create custom tag');
-
     $edit = $this->createCustomTag();
 
     // We should have been redirected to the tag list.
diff --git a/xbbcode.routing.yml b/xbbcode.routing.yml
index 21f5f7a..3bb3350 100644
--- a/xbbcode.routing.yml
+++ b/xbbcode.routing.yml
@@ -28,6 +28,7 @@ entity.xbbcode_tag.edit_form:
     _entity_form: xbbcode_tag.edit
   requirements:
     _permission: 'administer custom BBCode tags'
+    _entity_access: xbbcode_tag.update
 
 entity.xbbcode_tag.delete_form:
   path: '/admin/config/content/xbbcode/tags/manage/{xbbcode_tag}/delete'
@@ -36,3 +37,4 @@ entity.xbbcode_tag.delete_form:
     _title: 'Delete custom tag'
   requirements:
     _permission: 'administer custom BBCode tags'
+    _entity_access: xbbcode_tag.delete
-- 
1.9.1