diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php index ac36411..5f4b7b7 100644 --- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php @@ -316,15 +316,15 @@ public function fieldAccess($operation, FieldDefinitionInterface $field_definiti $default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed(); // Explicitly disallow changing the entity ID and entity UUID. - if ($operation === 'edit') { + // Since the 'edit' operation is used for field-level access when creating + // entities as well, we need to check whether the entity is new, as in this + // case explicitly setting the ID or UUID is allowed. + if ($operation === 'edit' && $items && ($entity = $items->getEntity()) && !$entity->isNew()) { if ($field_definition->getName() === $this->entityType->getKey('id')) { - return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed') : FALSE; + return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed')->addCacheableDependency($entity) : FALSE; } elseif ($field_definition->getName() === $this->entityType->getKey('uuid')) { - // UUIDs can be set when creating an entity. - if ($items && ($entity = $items->getEntity()) && !$entity->isNew()) { - return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE; - } + return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE; } } diff --git a/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php b/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php index 216e8d6..2da8e43 100644 --- a/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php +++ b/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php @@ -7,6 +7,7 @@ use Drupal\Core\DependencyInjection\Container; use Drupal\Tests\UnitTestCase; use Drupal\user\UserAccessControlHandler; +use Drupal\user\UserInterface; /** * Tests the user access controller. @@ -66,7 +67,7 @@ protected function setUp() { $container->set('cache_contexts_manager', $cache_contexts_manager); \Drupal::setContainer($container); - $this->viewer = $this->getMock('\Drupal\Core\Session\AccountInterface'); + $this->viewer = $this->getMock(UserInterface::class); $this->viewer ->expects($this->any()) ->method('hasPermission') @@ -75,8 +76,12 @@ protected function setUp() { ->expects($this->any()) ->method('id') ->will($this->returnValue(1)); + $this->viewer + ->expects($this->any()) + ->method('isNew') + ->will($this->returnValue(FALSE)); - $this->owner = $this->getMock('\Drupal\Core\Session\AccountInterface'); + $this->owner = $this->getMock(UserInterface::class); $this->owner ->expects($this->any()) ->method('hasPermission') @@ -84,11 +89,14 @@ protected function setUp() { ['administer users', FALSE], ['change own username', TRUE], ])); - $this->owner ->expects($this->any()) ->method('id') ->will($this->returnValue(2)); + $this->owner + ->expects($this->any()) + ->method('isNew') + ->will($this->returnValue(FALSE)); $this->admin = $this->getMock('\Drupal\Core\Session\AccountInterface'); $this->admin diff --git a/core/tests/Drupal/KernelTests/Core/Entity/EntityAccessControlHandlerTest.php b/core/tests/Drupal/KernelTests/Core/Entity/EntityAccessControlHandlerTest.php index b3af27f..9c8ec4f 100644 --- a/core/tests/Drupal/KernelTests/Core/Entity/EntityAccessControlHandlerTest.php +++ b/core/tests/Drupal/KernelTests/Core/Entity/EntityAccessControlHandlerTest.php @@ -18,6 +18,7 @@ /** * Tests the entity access control handler. * + * @coversDefaultClass \Drupal\Core\Entity\EntityAccessControlHandler * @group Entity */ class EntityAccessControlHandlerTest extends EntityLanguageTestBase { @@ -293,4 +294,43 @@ public function testHooks() { $this->assertEqual($state->get('entity_test_entity_test_access'), TRUE); } + /** + * Tests the default access handling for the ID and UUID fields. + * + * @covers ::fieldAccess + */ + public function testFieldAccess() { + // Set up a non-admin user that is allowed to create and update test + // entities. + \Drupal::currentUser()->setAccount($this->createUser(['uid' => 2], ['administer entity_test content'])); + + $uuid = \Drupal::service('uuid')->generate(); + $entity = EntityTest::create([ + 'name' => 'a_test_entity', + 'uuid' => $uuid, + ]); + + // On newly-created entities, field access must allow setting the ID and + // UUID fields. + $this->assertTrue($entity->get('uuid')->access('edit')); + $this->assertTrue($entity->get('uuid')->access('edit', NULL, TRUE)->isAllowed()); + $this->assertTrue($entity->get('id')->access('edit')); + $this->assertTrue($entity->get('id')->access('edit', NULL, TRUE)->isAllowed()); + + // Save the entity and check that we can not update the ID or UUID fields + // anymore. + $entity->save(); + $this->assertSame($uuid, $entity->uuid()); + + $this->assertFalse($entity->get('uuid')->access('edit')); + $access_result = $entity->get('uuid')->access('edit', NULL, TRUE); + $this->assertTrue($access_result->isForbidden()); + $this->assertEquals('The entity UUID cannot be changed', $access_result->getReason()); + + $this->assertFalse($entity->get('id')->access('edit')); + $access_result = $entity->get('id')->access('edit', NULL, TRUE); + $this->assertTrue($access_result->isForbidden()); + $this->assertEquals('The entity ID cannot be changed', $access_result->getReason()); + } + }