Problem/Motivation

As part of #3349394: Provide announcement feed as a block a new block was created to show the announcements feed as a block.

This block checks if the user has 'access announcements' to grant access or not to the block. This logic has a bug.

According to BlockPluginTrait documentation, it encourages the use of blockAccess() method instead of access() to "to avoid repeating the handling of the $return_as_object argument."

AnnounceBlock overrides access() method instead of blockAccess(), and it does not handle the $return_as_object argument, so it could break method implementations that expect to get a boolean instead of an AccessResultInterface.

Steps to reproduce

Run this in your php console (drush php):

  • $manager = \Drupal::service('plugin.manager.block')
  • $user = new \Drupal\Core\Session\AnonymousUserSession()
  • $block = $manager->createInstance('announce_block')
  • $block->access($user)

It returns an instance of Drupal\Core\Access\AccessResultNeutral instead of FALSE.

Proposed resolution

Implement the access logic in blockAccess() method instead of access().

Remaining tasks

Implement fix
Add test coverage

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

None

Issue fork drupal-3414800

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

plopesc created an issue. See original summary.

plopesc’s picture

plopesc
he/him
Primary language Spanish
commented
Version: 10.2.x-dev » 11.x-dev
Issue summary: View changes

plopesc opened merge request !6179

plopesc’s picture

plopesc
he/him
Primary language Spanish
commented
Status: Active » Needs review

MR created and tests are green.

smustgrave’s picture

smustgrave commented
Issue summary: View changes
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs tests

Thanks for reporting.

Adding test coverage as a remaining task.

plopesc’s picture

plopesc
he/him
Primary language Spanish
commented
Status: Needs work » Needs review
Issue tags: -Needs tests

Thank you for your review @smustgrave

More specific tests were added, they're green in the main pipeline and the test only job fails. https://git.drupalcode.org/issue/drupal-3414800/-/pipelines/77948

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Test coverage appears to be there.

Change seems simple enough that I can mark now vs waiting.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Version: 11.x-dev » 10.2.x-dev
Status: Reviewed & tested by the community » Fixed

Normally adding return types to existing code is not allowed because someone might have extended it. But in this specific case I can't see a reason why anyone would be subclassing the announcement block, so going to let this one slide.

Eligible as a bug fix in 10.2.x so backported there too.

Committed and pushed 7025180d11 to 11.x and 67bb7069a0 to 10.2.x. Thanks!

  • longwave committed 67bb7069 on 10.2.x 
    Issue #3414800 by plopesc, smustgrave: Access check in AnnounceBlock...

  • longwave committed 7025180d on 11.x 
    Issue #3414800 by plopesc, smustgrave: Access check in AnnounceBlock...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.