protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
    // Handle special cases up front. All users have access to the fallback
    // format.
    if ($entity->isFallbackFormat()) {
      return TRUE;
    }
    // ...
  }

These are the first lines of FilterFormatAccessController::checkAccess(). As long as the format is the fallback, any operation by any user is allowed on it. Because nothing uses this code yet, this is not a security bug right now, but it will become one in the future as we will need to make routes use entity access, for instance.

Files: 
CommentFileSizeAuthor
#9 interdiff.txt446 bytesXano
#7 interdiff.txt0 bytesXano
#7 drupal_2095693_7.patch1.59 KBXano
PASSED: [[SimpleTest]]: [MySQL] 58,264 pass(es). View
#4 filter-2095693-4.patch1.64 KBtim.plunkett
FAILED: [[SimpleTest]]: [MySQL] 58,696 pass(es), 6 fail(s), and 287 exception(s). View
#2 drupal_2095693_2.patch2.52 KBXano
FAILED: [[SimpleTest]]: [MySQL] 58,872 pass(es), 6 fail(s), and 287 exception(s). View
#1 drupal_2095693_1.patch1.78 KBXano
FAILED: [[SimpleTest]]: [MySQL] Setup environment: Test cancelled by admin prior to completion. View

Comments

Xano’s picture

Assigned: Xano » Unassigned
Status: Active » Needs review
FileSize
1.78 KB
FAILED: [[SimpleTest]]: [MySQL] Setup environment: Test cancelled by admin prior to completion. View

There were a problems with a few operations as well, so I restructured the code so it's much easier to see what happens.

Xano’s picture

FileSize
2.52 KB
FAILED: [[SimpleTest]]: [MySQL] 58,872 pass(es), 6 fail(s), and 287 exception(s). View

Status: Needs review » Needs work

The last submitted patch, drupal_2095693_2.patch, failed testing.

tim.plunkett’s picture

Status: Needs work » Needs review
FileSize
1.64 KB
FAILED: [[SimpleTest]]: [MySQL] 58,696 pass(es), 6 fail(s), and 287 exception(s). View
Xano’s picture

I'd either clean up the entire method (like #2), or fix the problem here and make the method readable in another issue. #4 fixes the problem and cleans up only part of the method.

Status: Needs review » Needs work

The last submitted patch, filter-2095693-4.patch, failed testing.

Xano’s picture

Status: Needs work » Needs review
FileSize
1.59 KB
PASSED: [[SimpleTest]]: [MySQL] 58,264 pass(es). View
0 bytes
tim.plunkett’s picture

Empty interdiff...

Xano’s picture

FileSize
446 bytes

Meh.

tim.plunkett’s picture

Status: Needs review » Reviewed & tested by the community

Oh, nice :)

Xano’s picture

Now we have fixed this, #2101119: Convert Filter routes to use entity access instead of permissions converts routes to use entity access.

Xano’s picture

#7: drupal_2095693_7.patch queued for re-testing.

catch’s picture

Status: Reviewed & tested by the community » Fixed

Much better. Committed/pushed to 8.x, thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.