diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php index 55ce64a..9b7dfd3 100644 --- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php +++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php @@ -106,7 +106,7 @@ public static function create(ContainerInterface $container, array $configuratio public function get(EntityInterface $entity) { $entity_access = $entity->access('view', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new AccessDeniedHttpException(); + throw new AccessDeniedHttpException('The current user does not have access to view the requested entity.'); } $response = new ResourceResponse($entity, 200); @@ -145,7 +145,7 @@ public function post(EntityInterface $entity = NULL) { } if (!$entity->access('create')) { - throw new AccessDeniedHttpException(); + throw new AccessDeniedHttpException('Entity creation for bundle ' . $entity->bundle() . ' is not allowed for the current user.'); } $definition = $this->getPluginDefinition(); // Verify that the deserialized entity is of the type that we expect to @@ -200,7 +200,7 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity throw new BadRequestHttpException('Invalid entity type'); } if (!$original_entity->access('update')) { - throw new AccessDeniedHttpException(); + throw new AccessDeniedHttpException('Entity update for bundle ' . $entity->bundle() . ' is not allowed for the current user.'); } // Overwrite the received properties. @@ -257,7 +257,7 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity */ public function delete(EntityInterface $entity) { if (!$entity->access('delete')) { - throw new AccessDeniedHttpException(); + throw new AccessDeniedHttpException('Entity deletion for bundle ' . $entity->bundle() . ' is not allowed for the current user.'); } try { $entity->delete(); diff --git a/core/modules/rest/src/Tests/CreateTest.php b/core/modules/rest/src/Tests/CreateTest.php index 2454d2a..a4bb21b 100644 --- a/core/modules/rest/src/Tests/CreateTest.php +++ b/core/modules/rest/src/Tests/CreateTest.php @@ -475,9 +475,13 @@ public function assertCreateEntityInvalidSerialized(EntityInterface $entity, $en */ public function assertCreateEntityWithoutProperPermissions($entity_type, $serialized = NULL) { $this->drupalLogout(); - $this->httpRequest('entity/' . $entity_type, 'POST', $serialized, $this->defaultMimeType); + $settings = $this->entityValues($entity_type); + $bundle = isset($settings['type']) ? $settings['type'] : $entity_type; + $url = Url::fromUri('internal:/entity/' . $entity_type)->setOption('query', ['_format' => $this->defaultFormat]); + $this->httpRequest($url, 'POST', $serialized, $this->defaultMimeType); // Forbidden Error as response. $this->assertResponse(403); + $this->assertText('Entity creation for bundle ' . $bundle . ' is not allowed for the current user.'); $this->assertFalse(\Drupal::entityManager()->getStorage($entity_type)->loadMultiple(), 'No entity has been created in the database.'); } diff --git a/core/modules/rest/src/Tests/DeleteTest.php b/core/modules/rest/src/Tests/DeleteTest.php index 88db0fd..b67bc21 100644 --- a/core/modules/rest/src/Tests/DeleteTest.php +++ b/core/modules/rest/src/Tests/DeleteTest.php @@ -27,7 +27,7 @@ public function testDelete() { // controllers are implemented. $entity_types = array('entity_test', 'node'); foreach ($entity_types as $entity_type) { - $this->enableService('entity:' . $entity_type, 'DELETE'); + $this->enableService('entity:' . $entity_type, 'DELETE', 'hal_json'); // Create a user account that has the required permissions to delete // resources via the REST API. $permissions = $this->entityPermissions($entity_type, 'delete'); @@ -39,11 +39,11 @@ public function testDelete() { $entity->save(); // Try first to delete over REST API without the CSRF token. $url = $entity->toUrl()->setRouteParameter('_format', $this->defaultFormat); - $this->httpRequest($url, 'DELETE', NULL, 'application/hal+json', FALSE); + $this->httpRequest($url, 'DELETE', NULL, 'application/hal_json', FALSE); $this->assertResponse(403); $this->assertRaw('X-CSRF-Token request header is missing'); // Then try with an invalid CSRF token. - $this->httpRequest($url, 'DELETE', NULL, 'application/hal+json', 'invalid-csrf-token'); + $this->httpRequest($url, 'DELETE', NULL, 'application/hal_json', 'invalid-csrf-token'); $this->assertResponse(403); $this->assertRaw('X-CSRF-Token request header is invalid'); // Delete it over the REST API. @@ -69,8 +69,10 @@ public function testDelete() { // Re-save entity to the database. $entity = $this->entityCreate($entity_type); $entity->save(); - $this->httpRequest($entity->urlInfo(), 'DELETE'); + $url = $entity->urlInfo()->setRouteParameter('_format', $this->defaultFormat); + $this->httpRequest($url, 'DELETE'); $this->assertResponse(403); + $this->assertText('Entity deletion for bundle ' . $entity->bundle() . ' is not allowed for the current user.'); $storage->resetCache([$entity->id()]); $this->assertNotIdentical(FALSE, $storage->load($entity->id()), 'The ' . $entity_type . ' entity is still in the database.'); diff --git a/core/modules/rest/src/Tests/UpdateTest.php b/core/modules/rest/src/Tests/UpdateTest.php index 287c2df..4cca7cb 100644 --- a/core/modules/rest/src/Tests/UpdateTest.php +++ b/core/modules/rest/src/Tests/UpdateTest.php @@ -191,7 +191,9 @@ public function testPatchUpdate() { // Try to update an entity without proper permissions. $this->drupalLogout(); - $this->httpRequest($entity->urlInfo(), 'PATCH', $serialized, $this->defaultMimeType); + $url = $entity->urlInfo()->setRouteParameter('_format', $this->defaultFormat); + $this->httpRequest($url, 'PATCH', $serialized, $this->defaultMimeType); + $this->assertText('Entity update for bundle ' . $entity->bundle() . ' is not allowed for the current user.'); $this->assertResponse(403); // Try to update a resource which is not REST API enabled.