Issue #2913655 by vegantriathlete, Mile23: ContactAccessControlHandler creates access bypass?

vegantriathlete · paul-m · commit 1c0c9ca1fb32 · 2018-07-14T16:09:45.000-07:00
diff --git a/content_entity_example/content_entity_example.routing.yml b/content_entity_example/content_entity_example.routing.yml
@@ -5,11 +5,13 @@
 entity.content_entity_example_contact.canonical:
   path: '/content_entity_example_contact/{content_entity_example_contact}'
   defaults:
-  # Calls the view controller, defined in the annotation of the contact entity
+    # Calls the view controller, defined in the annotation of the contact
+    # entity. This marks this route as belonging to this entity type.
     _entity_view: 'content_entity_example_contact'
     _title: 'Contact content'
   requirements:
-  # Calls the access controller of the entity, $operation 'view'
+    # Calls the access controller of the entity, passing in the suffix ('view')
+    # as the $operation parameter to checkAccess().
     _entity_access: 'content_entity_example_contact.view'
 
 entity.content_entity_example_contact.collection:
@@ -25,20 +27,25 @@ entity.content_entity_example_contact.collection:
 content_entity_example.contact_add:
   path: '/content_entity_example_contact/add'
   defaults:
-  # Calls the form.add controller, defined in the contact entity.
-    _entity_form: content_entity_example_contact.add
+    # Calls the form.add controller, defined in the contact entity.
+    _entity_form: content_entity_example_contact.default
     _title: 'Add contact'
   requirements:
+    # Use the entity's access controller. _entity_create_access tells the router
+    # to use the access controller's checkCreateAccess() method instead of
+    # checkAccess().
     _entity_create_access: 'content_entity_example_contact'
 
 entity.content_entity_example_contact.edit_form:
   path: '/content_entity_example_contact/{content_entity_example_contact}/edit'
   defaults:
   # Calls the form.edit controller, defined in the contact entity.
-    _entity_form: content_entity_example_contact.edit
+    _entity_form: content_entity_example_contact.default
     _title: 'Edit contact'
   requirements:
-    _entity_access: 'content_entity_example_contact.edit'
+    # Calls the access controller of the entity, passing in the suffix
+    # ('update') as the $operation parameter to checkAccess().
+    _entity_access: 'content_entity_example_contact.update'
 
 entity.content_entity_example_contact.delete_form:
   path: '/contact/{content_entity_example_contact}/delete'
@@ -47,6 +54,8 @@ entity.content_entity_example_contact.delete_form:
     _entity_form: content_entity_example_contact.delete
     _title: 'Delete contact'
   requirements:
+    # Calls the access controller of the entity, passing in the suffix
+    # ('delete') as the $operation parameter to checkAccess().
     _entity_access: 'content_entity_example_contact.delete'
 
 content_entity_example.contact_settings:
diff --git a/content_entity_example/src/ContactAccessControlHandler.php b/content_entity_example/src/ContactAccessControlHandler.php
@@ -29,7 +29,7 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
       case 'view':
         return AccessResult::allowedIfHasPermission($account, 'view contact entity');
 
-      case 'edit':
+      case 'update':
         return AccessResult::allowedIfHasPermission($account, 'edit contact entity');
 
       case 'delete':
diff --git a/content_entity_example/src/Entity/Contact.php b/content_entity_example/src/Entity/Contact.php
@@ -42,9 +42,11 @@
  *
  * - form: We derive our own forms to add functionality like additional fields,
  *   redirects etc. These forms are used when the route specifies an
- *   '_entity_form' default for the entity type. Depending on the suffix
- *   (.add/.edit/.delete) of the '_entity_form' default, the form specified in
- *   the annotation is used.
+ *   '_entity_form' or '_entity_create_access' for the entity type. Depending on
+ *   the suffix (.add/.default/.delete) of the '_entity_form' default in the
+ *   route, the form specified in the annotation is used. The suffix then also
+ *   becomes the $operation parameter to the access handler. We use the
+ *   '.default' suffix for all operations that are not 'delete'.
  *
  * - access: Our own access controller, where we determine access rights based
  *   on permissions.
@@ -81,8 +83,7 @@
  *     "view_builder" = "Drupal\Core\Entity\EntityViewBuilder",
  *     "list_builder" = "Drupal\content_entity_example\Entity\Controller\ContactListBuilder",
  *     "form" = {
- *       "add" = "Drupal\content_entity_example\Form\ContactForm",
- *       "edit" = "Drupal\content_entity_example\Form\ContactForm",
+ *       "default" = "Drupal\content_entity_example\Form\ContactForm",
  *       "delete" = "Drupal\content_entity_example\Form\ContactDeleteForm",
  *     },
  *     "access" = "Drupal\content_entity_example\ContactAccessControlHandler",
@@ -107,10 +108,12 @@
  * The 'links' above are defined by their path. For core to find the
  * corresponding route, the route name must follow the correct pattern:
  *
- * entity.<entity-name>.<link-name> (replace dashes with underscores)
- * Example: 'entity.content_entity_example_contact.canonical'
+ * entity.<entity_type>.<link_name>
  *
- * See routing file above for the corresponding implementation
+ * Example: 'entity.content_entity_example_contact.canonical'.
+ *
+ * See the routing file at content_entity_example.routing.yml for the
+ * corresponding implementation.
  *
  * The Contact class defines methods and fields for the contact entity.
  *
