diff --git a/core/lib/Drupal/Core/Entity/Element/EntityAutocomplete.php b/core/lib/Drupal/Core/Entity/Element/EntityAutocomplete.php index 2a52b79..7c470a7 100644 --- a/core/lib/Drupal/Core/Entity/Element/EntityAutocomplete.php +++ b/core/lib/Drupal/Core/Entity/Element/EntityAutocomplete.php @@ -259,7 +259,7 @@ protected static function matchEntityByTitle($handler, $input, &$element, FormSt /** * Converts an array of entity objects into a string of entity labels. * - * This method is also responsible for checking the 'view' access on the + * This method is also responsible for checking the 'view label' access on the * passed-in entities. * * @param \Drupal\Core\Entity\EntityInterface[] $entities @@ -271,7 +271,9 @@ protected static function matchEntityByTitle($handler, $input, &$element, FormSt public static function getEntityLabels(array $entities) { $entity_labels = array(); foreach ($entities as $entity) { - $label = ($entity->access('view')) ? $entity->label() : t('- Restricted access -'); + // Use the special view label, since some entites allow the label to be + // viewed, even if the entity is not allowed to be viewed. + $label = ($entity->access('view label')) ? $entity->label() : t('- Restricted access -'); // Take into account "autocreated" entities. if (!$entity->isNew()) { diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php index 6d8d7fb..e743430 100644 --- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php @@ -40,6 +40,13 @@ class EntityAccessControlHandler extends EntityHandlerBase implements EntityAcce protected $entityType; /** + * Allow access to entity label. + * + * @var bool + */ + protected $viewLabelOperation = FALSE; + + /** * Constructs an access control handler instance. * * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type @@ -124,7 +131,8 @@ protected function processAccessHookResults(array $access) { * @param \Drupal\Core\Entity\EntityInterface $entity * The entity for which to check access. * @param string $operation - * The entity operation. Usually one of 'view', 'update' or 'delete'. + * The entity operation. Usually one of 'view', 'view label', 'update' or + * 'delete'. * @param \Drupal\Core\Session\AccountInterface $account * The user for which to check access. * diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandlerInterface.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandlerInterface.php index c1e7333..1d3c1ed 100644 --- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandlerInterface.php +++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandlerInterface.php @@ -27,7 +27,7 @@ * The entity for which to check access. * @param string $operation * The operation access should be checked for. - * Usually one of "view", "update" or "delete". + * Usually one of "view", "view label", "update" or "delete". * @param \Drupal\Core\Session\AccountInterface $account * (optional) The user session for which to check access, or NULL to check * access for the current user. Defaults to NULL. diff --git a/core/modules/link/src/Tests/LinkFieldTest.php b/core/modules/link/src/Tests/LinkFieldTest.php index 494936a..226211f 100644 --- a/core/modules/link/src/Tests/LinkFieldTest.php +++ b/core/modules/link/src/Tests/LinkFieldTest.php @@ -12,6 +12,7 @@ use Drupal\Core\Url; use Drupal\link\LinkItemInterface; use Drupal\simpletest\WebTestBase; +use Drupal\user\Entity\User; /** * Tests link field widgets and formatters. @@ -41,6 +42,9 @@ class LinkFieldTest extends WebTestBase { */ protected $field; + /** + * {@inheritdoc} + */ protected function setUp() { parent::setUp(); @@ -54,7 +58,7 @@ protected function setUp() { /** * Tests link field URL validation. */ - function testURLValidation() { + public function testURLValidation() { $field_name = Unicode::strtolower($this->randomMachineName()); // Create a field with settings to validate. $this->fieldStorage = entity_create('field_storage_config', array( @@ -97,6 +101,9 @@ function testURLValidation() { // Create a node to test the link widget. $node = $this->drupalCreateNode(); + // Get the user 1 account. + $admin_account = User::load(1); + // Define some valid URLs (keys are the entered values, values are the // strings displayed to the user). $valid_external_entries = array( @@ -115,7 +122,7 @@ function testURLValidation() { // https://www.drupal.org/node/2421941 '' => '<front>', '#example' => '<front>#example', - '?example=llama' =>'<front>?example=llama', + '?example=llama' => '<front>?example=llama', // Query string and fragment. '?example=llama' => '?example=llama', @@ -125,8 +132,8 @@ function testURLValidation() { $node->label() . ' (1)' => $node->label() . ' (1)', // Entity URI displayed as ER autocomplete value when displayed in a form. 'entity:node/1' => $node->label() . ' (1)', - // URI for an entity that exists, but is not accessible by the user. - 'entity:user/1' => '- Restricted access - (1)', + // Account labels are not treated as confidential information. + 'entity:user/1' => $admin_account->label() . ' (1)', // URI for an entity that doesn't exist, but with a valid ID. 'entity:user/999999' => 'entity:user/999999', // URI for an entity that doesn't exist, with an invalid ID. @@ -138,9 +145,9 @@ function testURLValidation() { $validation_error_2 = 'Manually entered paths should start with /, ? or #.'; $validation_error_3 = "The path '@link_path' is inaccessible."; $invalid_external_entries = array( - // Invalid protocol + // Invalid protocol. 'invalid://not-a-valid-protocol' => $validation_error_1, - // Missing host name + // Missing host name. 'http://' => $validation_error_1, ); $invalid_internal_entries = array( @@ -215,7 +222,7 @@ protected function assertInvalidEntries($field_name, array $invalid_entries) { /** * Tests the link title settings of a link field. */ - function testLinkTitle() { + protected function testLinkTitle() { $field_name = Unicode::strtolower($this->randomMachineName()); // Create a field with settings to validate. $this->fieldStorage = entity_create('field_storage_config', array( @@ -329,7 +336,7 @@ function testLinkTitle() { /** * Tests the default 'link' formatter. */ - function testLinkFormatter() { + public function testLinkFormatter() { $field_name = Unicode::strtolower($this->randomMachineName()); // Create a field with settings to validate. $this->fieldStorage = entity_create('field_storage_config', array( @@ -469,7 +476,7 @@ function testLinkFormatter() { * This test is mostly the same as testLinkFormatter(), but they cannot be * merged, since they involve different configuration and output. */ - function testLinkSeparateFormatter() { + public function testLinkSeparateFormatter() { $field_name = Unicode::strtolower($this->randomMachineName()); // Create a field with settings to validate. $this->fieldStorage = entity_create('field_storage_config', array( diff --git a/core/modules/node/src/NodeAccessControlHandler.php b/core/modules/node/src/NodeAccessControlHandler.php index 490846f..b63260f 100644 --- a/core/modules/node/src/NodeAccessControlHandler.php +++ b/core/modules/node/src/NodeAccessControlHandler.php @@ -103,6 +103,15 @@ protected function checkAccess(EntityInterface $node, $operation, AccountInterfa $status = $node->isPublished(); $uid = $node->getOwnerId(); + if ($operation == 'view label') { + if ($this->viewLabelOperation == TRUE) { + return AccessResult::allowed(); + } + else { + $operation = 'view'; + } + } + // Check if authors can view their own unpublished nodes. if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) { return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($node); diff --git a/core/modules/system/tests/modules/entity_test/src/EntityTestAccessControlHandler.php b/core/modules/system/tests/modules/entity_test/src/EntityTestAccessControlHandler.php index bdc3785..7e20d1b 100644 --- a/core/modules/system/tests/modules/entity_test/src/EntityTestAccessControlHandler.php +++ b/core/modules/system/tests/modules/entity_test/src/EntityTestAccessControlHandler.php @@ -37,7 +37,7 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter return AccessResult::forbidden(); } - if ($operation === 'view') { + if ($operation === 'view' || $operation === 'view label') { if (!$entity->isDefaultTranslation()) { return AccessResult::allowedIfHasPermission($account, 'view test entity translations'); } diff --git a/core/modules/taxonomy/src/TermAccessControlHandler.php b/core/modules/taxonomy/src/TermAccessControlHandler.php index 7f12e02..cb44453 100644 --- a/core/modules/taxonomy/src/TermAccessControlHandler.php +++ b/core/modules/taxonomy/src/TermAccessControlHandler.php @@ -23,6 +23,14 @@ class TermAccessControlHandler extends EntityAccessControlHandler { * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { + if ($operation == 'view label') { + if ($this->viewLabelOperation == TRUE) { + return AccessResult::allowed(); + } + else { + $operation = 'view'; + } + } switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'access content'); diff --git a/core/modules/user/src/UserAccessControlHandler.php b/core/modules/user/src/UserAccessControlHandler.php index 605f7c7..4eca2ab 100644 --- a/core/modules/user/src/UserAccessControlHandler.php +++ b/core/modules/user/src/UserAccessControlHandler.php @@ -22,10 +22,17 @@ class UserAccessControlHandler extends EntityAccessControlHandler { /** + * Allow access to user label. + * + * @var bool + */ + protected $viewLabelOperation = TRUE; + + /** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { - /** @var \Drupal\user\UserInterface $entity*/ + /** @var \Drupal\user\UserInterface $entity */ // The anonymous user's profile can neither be viewed, updated nor deleted. if ($entity->isAnonymous()) { @@ -37,6 +44,16 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter return AccessResult::allowed()->cachePerPermissions(); } + // We don't treat the label as privileged information. + if ($operation == 'view label') { + if ($this->viewLabelOperation == TRUE) { + return AccessResult::allowed(); + } + else { + $operation = 'view'; + } + } + switch ($operation) { case 'view': // Only allow view access if the account is active.