Currently, there is no field-level 'edit' access check for text/format fields that guarantees that a user has permission to use the format she is trying to set. This caused the following security issue in RestWS: https://security.drupal.org/node/93428, and a similar issue in Services Entity: https://drupal.org/node/2059845, and D8 REST services: https://drupal.org/node/2064181.

It's debatable where this should be fixed. I've also opened in issue in D7 core (https://drupal.org/node/2060237) which fixes it in text.module, but interactions with the text-format widget force a change in the way that fields which a user can't edit are handled on forms (disabled rather than hidden), so I'm not sure if it's the best solution.

The patch to follow attempts to fix this on the Entity Metadata level.

CommentFileSizeAuthor
#1 2065021-text-format-access.patch4.82 KBwodenx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

wodenx’s picture

wodenx CreditAttribution: wodenx commented
Status: Active » Needs review
FileSize
2065021-text-format-access.patch4.82 KB
Chris Matthews’s picture

Chris Matthews CreditAttribution: Chris Matthews as a volunteer commented
Issue summary: View changes
Status: Needs review » Needs work
Issue tags: +Needs reroll

The 5 year old patch in #1 does not apply to the latest entity 7.x-1.x-dev.

Checking patch entity.test...
error: while searching for:
    $this->assertTrue($wrapper->{$this->field_name}->access('view'), 'Field access granted.');
  }

  /**
   * Tests using a data structure with passed in metadata.
   */

error: patch failed: entity.test:948
error: entity.test: patch does not apply
Checking patch includes/entity.property.inc...
error: while searching for:
      'label' => t('Text format'),
      'options list' => 'entity_metadata_field_text_formats',
      'getter callback' => 'entity_property_verbatim_get',
    ),
  );
}

error: patch failed: includes/entity.property.inc:507
error: includes/entity.property.inc: patch does not apply
Checking patch modules/callbacks.inc...
Hunk #1 succeeded at 600 (offset 38 lines).
error: while searching for:
 */
function entity_metadata_no_hook_node_access($op, $node = NULL, $account = NULL) {
  if (isset($node)) {
    // If a non-default revision is given, incorporate revision access.
    $default_revision = node_load($node->nid);
    if ($node->vid != $default_revision->vid) {
      return _node_revision_access($node, $op);
    }
    else {
      return node_access($op, $node, $account);
    }
  }
  // Is access to all nodes allowed?

error: patch failed: modules/callbacks.inc:615
error: modules/callbacks.inc: patch does not apply
Checking patch modules/field.info.inc...
Hunk #1 succeeded at 100 (offset 3 lines).