Closed (outdated)
Project:
Drupal core
Version:
7.x-dev
Component:
menu system
Priority:
Major
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
19 Aug 2015 at 23:20 UTC
Updated:
27 Jan 2017 at 17:52 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
webchickGoing to attempt to verify this one.
Comment #3
webchickNope, this isn't an issue in Drupal 8.
Steps to reproduce (/via David_Rothstein):
1. Create a node and add it to the main menu.
2. Remove the "access content" permission from anonymous users.
3. Log out and view the home page.
Works as expected.
Comment #4
webchickComment #5
larowlanConfirming cannot reproduce in D8
Comment #6
dawehnerIs it just me or should we maybe have some dedicated test coverage for it? I mean its like a regression we should absolute never have again.
Comment #7
webchickThat's true. We could totally do that.
Comment #8
webchickComment #9
strykaizerHere's a test for D8.
As noted, this test does not fail, since this bug is not an issue at this moment in d8.
Comment #10
strykaizerDocumentation fixes
Comment #11
stefan.r commentedNit: needs a newline between these.
s/fields/menu links/
Nit: Bracket notation.
Missing full stop.
Just to isolate this test to the "access content" permission, can we give just that permission to the anonymous user and assert that the link is there?
Nit: missing newline before class closing bracket.
Comment #12
strykaizer@stefan.r: Thanks for the review!
Attached you'll find a revised patch
Comment #13
stefan.r commentedThis looks great now as it tests for the same D7 vulnerability!
Just a nit: you missed converting the 4 other array()s and the first menu link assertion out of the 3 isn't necessary.
Comment #14
jibranLooks fine. It'd be great if we can mention https://www.drupal.org/SA-CORE-2015-003 in someplace inside the test.
Comment #15
webchickGrepped around a bit, and the format seems to be:
...right above the test.
So added this:
(We seem to have dropped "DRUPAL" from the SAs sometime.)
...and committed/pushed to 8.0.x. Thanks!
Comment #17
jibranThank you @webchick for fixing that on commit. :)
Comment #18
webchickOops, meant to do this.