.../src/Plugin/rest/resource/EntityResource.php | 31 +++++++++++----------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php index 1087468..c85ecde 100644 --- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php +++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php @@ -230,24 +230,25 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity $field = $entity->get($field_name); $original_field = $original_entity->get($field_name); - // If the user has access to view the field, we need to check update - // access regardless of the field value to avoid information disclosure. - // (Otherwise the user may try PATCHing with value after value, until they - // send the current value for the field, and then they won't get a 403 - // response anymore, which indicates that the value they sent in the PATCH - // request body matches the current value.) - if (!$original_field->access('view')) { + // Only received fields whose value is not equal to the stored field value + // needs to be processed. + if (!$original_field->equals($field)) { if (!$original_field->access('edit')) { - throw new AccessDeniedHttpException("Access denied on updating field '$field_name'."); + // If the user has access to view the field, we need to check update + // access regardless of the field value to avoid information disclosure. + // (Otherwise the user may try PATCHing with value after value, until + // they send the current value for the field, and then they won't get a + // 403 response anymore, which indicates that the value they sent in the + // PATCH request body matches the current value.) + if ($original_field->access('view')) { + throw new AccessDeniedHttpException("Access denied on updating field '$field_name'."); + } + else { + continue; + } } + $original_entity->set($field_name, $field->getValue()); } - // Check access for all received fields, but only if they are being - // changed. The bundle of an entity, for example, must be provided for - // denormalization to succeed, but it may not be changed. - elseif (!$original_field->equals($field) && !$original_field->access('edit')) { - throw new AccessDeniedHttpException("Access denied on updating field '$field_name'."); - } - $original_entity->set($field_name, $field->getValue()); } // Validate the received data before saving.