diff --git a/core/lib/Drupal/Core/Access/AccessResult.php b/core/lib/Drupal/Core/Access/AccessResult.php index b3c1bc4..d87872a 100644 --- a/core/lib/Drupal/Core/Access/AccessResult.php +++ b/core/lib/Drupal/Core/Access/AccessResult.php @@ -169,9 +169,6 @@ public static function allowedIfHasPermissions(AccountInterface $account, array }; $access_result->setReason(sprintf("The following permissions are required: %s.", implode(" $conjunction ", array_map($quote, $permissions)))); } - else { - $access_result->setReason("Access denied."); - } } return $access_result; diff --git a/core/modules/node/src/NodeAccessControlHandler.php b/core/modules/node/src/NodeAccessControlHandler.php index 27e62e1..89b8169 100644 --- a/core/modules/node/src/NodeAccessControlHandler.php +++ b/core/modules/node/src/NodeAccessControlHandler.php @@ -67,10 +67,6 @@ public function access(EntityInterface $entity, $operation, AccountInterface $ac } $result = parent::access($entity, $operation, $account, TRUE)->cachePerPermissions(); - if (!$result->isAllowed()) { - $result->setReason("The '$operation' permission is required."); - } - return $return_as_object ? $result : $result->isAllowed(); } diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php index 103ac29..6ed06cc 100644 --- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php +++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php @@ -106,7 +106,7 @@ public static function create(ContainerInterface $container, array $configuratio public function get(EntityInterface $entity) { $entity_access = $entity->access('view', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->accessDeniedExceptionMessage($entity, 'view')); + throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'view')); } $response = new ResourceResponse($entity, 200); @@ -146,7 +146,7 @@ public function post(EntityInterface $entity = NULL) { $entity_access = $entity->access('create', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->accessDeniedExceptionMessage($entity, 'create')); + throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'create')); } $definition = $this->getPluginDefinition(); // Verify that the deserialized entity is of the type that we expect to @@ -202,7 +202,7 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity } $entity_access = $original_entity->access('update', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->accessDeniedExceptionMessage($entity, 'update')); + throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'update')); } // Overwrite the received properties. @@ -267,7 +267,7 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity public function delete(EntityInterface $entity) { $entity_access = $entity->access('delete', NULL, TRUE); if (!$entity_access->isAllowed()) { - throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->accessDeniedExceptionMessage($entity, 'delete')); + throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'delete')); } try { $entity->delete(); @@ -282,17 +282,17 @@ public function delete(EntityInterface $entity) { } /** - * Return the proper message checking if the entity has bundles. + * Generates a fallback access denied message, when no specific reason is set. * * @param \Drupal\Core\Entity\EntityInterface $entity * The entity object. * @param string $operation - * The operation executed before to call the exception. + * The disallowed entity operation. * - * @return string $operation + * @return string * The proper message to display in the AccessDeniedHttpException. */ - public function accessDeniedExceptionMessage(EntityInterface $entity, $operation) { + protected function generateFallbackAccessDeniedMessage(EntityInterface $entity, $operation) { $message = "You are not authorized to {$operation} this {$entity->getEntityTypeId()} entity"; if ($entity->bundle() !== $entity->getEntityTypeId()) { diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockResourceTestBase.php index b414e79..10c4e90 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/Block/BlockResourceTestBase.php @@ -135,10 +135,12 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return parent::getExpectedUnauthorizedAccessMessage($method); } - if ($method === 'GET') { - return "You are not authorized to view this block entity."; + switch ($method) { + case 'GET': + return "You are not authorized to view this block entity."; + default: + return parent::getExpectedUnauthorizedAccessMessage($method); } - return parent::getExpectedUnauthorizedAccessMessage($method); } } diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php index 7410c01..7e38b33 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/Comment/CommentResourceTestBase.php @@ -318,12 +318,14 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return parent::getExpectedUnauthorizedAccessMessage($method); } - if ($method === 'GET') { - return "The 'access comments' permission is required and the comment must be published."; - } - if ($method === 'POST') { - return "The 'post comments' permission is required."; + switch ($method) { + case 'GET'; + return "The 'access comments' permission is required and the comment must be published."; + case 'POST'; + return "The 'post comments' permission is required."; + default: + return parent::getExpectedUnauthorizedAccessMessage($method); } - return parent::getExpectedUnauthorizedAccessMessage($method); } + } diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php index b493d8e..c33abb7 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php @@ -249,25 +249,18 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return $this->getExpectedBCUnauthorizedAccessMessage($method); } - // If it has an admin permission lets return that message. $permission = $this->entity->getEntityType()->getAdminPermission(); if ($permission !== FALSE) { return "The '{$permission}' permission is required."; } - $operation = ''; - if ($method === 'GET') { - $operation = 'view'; - } - if ($method === 'POST') { - $operation = 'create'; - } - if ($method === 'PATCH') { - $operation = 'update'; - } - if ($method === 'DELETE') { - $operation = 'delete'; - } + $http_method_to_entity_operation = [ + 'GET' => 'view', + 'POST' => 'create', + 'PATCH' => 'update', + 'DELETE' => 'delete', + ]; + $operation = $http_method_to_entity_operation[$method]; $message = sprintf('You are not authorized to %s this %s entity', $operation, $this->entity->getEntityTypeId()); if ($this->entity->bundle() !== $this->entity->getEntityTypeId()) { @@ -392,8 +385,10 @@ public function testGet() { $response = $this->request('GET', $url, $request_options); $this->assertResourceErrorResponse(403, $this->getExpectedUnauthorizedAccessMessage('GET'), $response); + $this->setUpAuthorization('GET'); + // 200 for well-formed HEAD request. $response = $this->request('HEAD', $url, $request_options); $this->assertResourceResponse(200, '', $response); @@ -600,6 +595,7 @@ public function testPost() { $response = $this->request('POST', $url, $request_options); $this->assertResourceErrorResponse(403, $this->getExpectedUnauthorizedAccessMessage('POST'), $response); + $this->setUpAuthorization('POST'); @@ -787,6 +783,7 @@ public function testPatch() { $response = $this->request('PATCH', $url, $request_options); $this->assertResourceErrorResponse(403, $this->getExpectedUnauthorizedAccessMessage('PATCH'), $response); + $this->setUpAuthorization('PATCH'); @@ -939,6 +936,7 @@ public function testDelete() { $response = $this->request('DELETE', $url, $request_options); $this->assertResourceErrorResponse(403, $this->getExpectedUnauthorizedAccessMessage('DELETE'), $response); + $this->setUpAuthorization('DELETE'); diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestResourceTestBase.php index e6ba5bd..bd45410 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityTest/EntityTestResourceTestBase.php @@ -132,13 +132,14 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return parent::getExpectedUnauthorizedAccessMessage($method); } - if ($method === 'GET') { - return "The 'view test entity' permission is required."; - } - if ($method === 'POST') { - return "The following permissions are required: 'administer entity_test content' OR 'administer entity_test_with_bundle content' OR 'create entity_test entity_test_with_bundle entities'."; + switch ($method) { + case 'GET': + return "The 'view test entity' permission is required."; + case 'POST': + return "The following permissions are required: 'administer entity_test content' OR 'administer entity_test_with_bundle content' OR 'create entity_test entity_test_with_bundle entities'."; + default: + return parent::getExpectedUnauthorizedAccessMessage($method); } - return parent::getExpectedUnauthorizedAccessMessage($method); } } diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php index 652ae7e..b6bde1d 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/Term/TermResourceTestBase.php @@ -145,19 +145,18 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return parent::getExpectedUnauthorizedAccessMessage($method); } - if ($method === 'GET') { - return "The 'access content' permission is required."; - } - if ($method === 'POST') { - return "The 'administer taxonomy' permission is required."; - } - if ($method === 'PATCH') { - return "The following permissions are required: 'edit terms in camelids' OR 'administer taxonomy'."; - } - if ($method === 'DELETE') { - return "The following permissions are required: 'delete terms in camelids' OR 'administer taxonomy'."; + switch ($method) { + case 'GET': + return "The 'access content' permission is required."; + case 'POST': + return "The 'administer taxonomy' permission is required."; + case 'PATCH': + return "The following permissions are required: 'edit terms in camelids' OR 'administer taxonomy'."; + case 'DELETE': + return "The following permissions are required: 'delete terms in camelids' OR 'administer taxonomy'."; + default: + return parent::getExpectedUnauthorizedAccessMessage($method); } - return parent::getExpectedUnauthorizedAccessMessage($method); } } diff --git a/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php index 6cd91a2..fe9b750 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php @@ -225,16 +225,16 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return parent::getExpectedUnauthorizedAccessMessage($method); } - if ($method === 'GET') { - return "The 'access user profiles' permission is required and the user must be active."; - } - if ($method === 'PATCH') { - return "You are not authorized to update this user entity."; - } - if ($method === 'DELETE') { - return 'You are not authorized to delete this user entity.'; + switch ($method) { + case 'GET': + return "The 'access user profiles' permission is required and the user must be active."; + case 'PATCH': + return "You are not authorized to update this user entity."; + case 'DELETE': + return 'You are not authorized to delete this user entity.'; + default: + return parent::getExpectedUnauthorizedAccessMessage($method); } - return parent::getExpectedUnauthorizedAccessMessage($method); } } diff --git a/core/modules/user/src/UserAccessControlHandler.php b/core/modules/user/src/UserAccessControlHandler.php index c2fefec..dd7142c 100644 --- a/core/modules/user/src/UserAccessControlHandler.php +++ b/core/modules/user/src/UserAccessControlHandler.php @@ -39,7 +39,7 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter // The anonymous user's profile can neither be viewed, updated nor deleted. if ($entity->isAnonymous()) { - return AccessResult::forbidden("Access Denied"); + return AccessResult::forbidden(); } // Administrators can view/update/delete all user profiles.