https://www.drupal.org/sa-contrib-2018-081 was released yesterday. It says:

Sites with custom ... field access customizations may need to implement these newly introduced hooks.

Field Permissions needs to do so for the fields that it manages access for.

This was cleared by the Drupal Security Team to be a public issue, because it only affects the 8.x-1.x branch, which does not yet have a stable release.

CommentFileSizeAuthor
#2 field_permissions-jsonapi.patch7.19 KBeffulgentsia

Comments

effulgentsia created an issue. See original summary.

effulgentsia’s picture

effulgentsia commented
Status: Active » Needs review
StatusFileSize
new field_permissions-jsonapi.patch7.19 KB

Here's a patch.

effulgentsia’s picture

effulgentsia commented 
+++ b/src/FieldPermissionsService.php
@@ -173,4 +174,44 @@ class FieldPermissionsService implements FieldPermissionsServiceInterface, Conta
+   * @todo Move this to an interface: either FieldPermissionsServiceInterface
+   *   or a new one.
...
+++ b/src/Plugin/FieldPermissionType/Base.php
@@ -63,4 +64,25 @@ abstract class Base extends PluginBase implements FieldPermissionTypeInterface,
+   * @todo Move this to an interface: either FieldPermissionTypeInterface or a
+   *   new one.

I left these todos as something that could be done in a non-critical follow-up, because adding methods to an existing interface is a BC break for implementors of the interface that don't extend from the base class. I don't know if that's a BC break that's acceptable in a module that's already RC.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented
Status: Needs review » Fixed

Looks good. Thanks!

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +Security improvements

Go @effulgentsia!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.