SA-CONTRIB-2015-039 addressed two issues, a redirect and default permissions for disabled views.
It looks like the redirect issue for the break_lock form is resolved here: http://cgit.drupalcode.org/drupal/tree/core/modules/views_ui/src/Form/Br...
A few of the views need to updated, at least the Archive and Glossary are missing access checks.
Comment | File | Size | Author |
---|---|---|---|
#29 | 2426389-29.patch | 10.38 KB | amateescu |
#21 | 2426389-21.patch | 9.97 KB | idebr |
#21 | interdiff-21-15.txt | 4.46 KB | idebr |
#21 | 2426389-21.fail_.patch | 7.72 KB | idebr |
#15 | interdiff.txt | 1.37 KB | olli |
Comments
Comment #1
mikey_p CreditAttribution: mikey_p commentedComment #2
dawehnerWe originally filled the default permissions issue based upon a public issue in the core issue queue, sadly I can't find it, primarily because
it got unpublished in the meantime.
But yeah for core it would be nice to have a really simple test, note we already have dedicated tests for each default view IMHO.
Comment #3
mikey_p CreditAttribution: mikey_p commentedFix, but still needs tests.
Comment #4
mikey_p CreditAttribution: mikey_p commentedAlso, not sure if the watchdog and file views wizard plugins should implement some sort of access check. I'd imagine they do, but there's no obvious permission to check for those.
Comment #5
mikey_p CreditAttribution: mikey_p commentedConfirmed that the watchdog wizard doesn't add any permissions.
Comment #6
webchickTagging. We wouldn't want to recommend early adopters start building D8 sites without this being fixed.
Comment #7
webchickSorry, one more.
Comment #8
rootworkComment #11
olli CreditAttribution: olli commentedAdded default permission to aggregator_rss_feed.
missing ['options']
Comment #13
dawehneradapted the title to find the issue :P
It should be $display_options['access']['options']['perm'] instead.
Comment #14
dawehnerJust ensured and indeed the other part of the SA is fixed in HEAD:
Comment #15
olli CreditAttribution: olli commentedthank you!
Comment #16
dawehnerPerfect. Thank you!
Comment #17
catchI'd really like to remove archive, glossary and other random default views from core, could we open a follow-up for this?
Note I asked for this in the original VDC issue #1805996-26: [META] Views in Drupal Core then xjm's reply said it made sense for them to be in contrib #1805996-29: [META] Views in Drupal Core but for some reason that never happened.
Comment #18
dawehnerI think they are useful, given that those examples, especially glossary, are really hard to configure for your own.
They are disabled by default anyway.
In case we really want to remove them, they should be just moved to test only views, given that they allow us to have quite some good test coverage than just the simple views like frontpage.
Comment #19
alexpottFrom #2
Comment #20
idebr CreditAttribution: idebr commentedI'll work on some tests
Comment #21
idebr CreditAttribution: idebr commentedAdded tests for the paths:
Comment #22
idebr CreditAttribution: idebr commentedComment #24
amateescu CreditAttribution: amateescu commentedThe patch and tests look good to me. There's just one thing that stands out a bit:
We usually update the config entity instead working with the underlying config system, but it works so I'll let committers decide if it's ok to do this or not.. it's just a test after all :)
Comment #25
alexpottre #24 This makes the test unnecessarily dependent on the underlying config structure. Let's fix that.
Comment #26
amateescu CreditAttribution: amateescu commentedOk, that's a very easy fix and shouldn't hold up this patch any longer.
Comment #27
amateescu CreditAttribution: amateescu commentedOops, missed one :/
Comment #28
dawehnerNice work!
Comment #29
amateescu CreditAttribution: amateescu commentedI think #28 was a crosspost with #26 and the new files were accidentally deleted. Trying a re-upload of #27 for the testbot.
Comment #30
alexpottThis issue addresses a critical bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 7f6245a and pushed to 8.0.x. Thanks!
Comment #32
dawehnerHere is the follow up requested by @catch : #2428335: Discuss what to do with the disabled default views: archive, glossary