- Patch #91663 by sun, Berdir, swentel, blackdog, chx: permission of text format is not checked when editing an entity and instead reset to something a user can use.

4 files changed, 120 insertions, 7 deletions

diff --git a/modules/block/block.module b/modules/block/block.module
index 706af7b56..83ed3b922 100644
--- a/modules/block/block.module
+++ b/modules/block/block.module
@@ -438,7 +438,6 @@ function block_custom_block_form($edit = array()) {
     '#description' => t('The content of the block as shown to the user.'),
     '#required' => TRUE,
     '#weight' => -17,
-    '#access' => filter_access(filter_format_load($edit['format'])),
   );
 
   return $form;
diff --git a/modules/block/block.test b/modules/block/block.test
index 91887fdd5..71d265abb 100644
--- a/modules/block/block.test
+++ b/modules/block/block.test
@@ -131,7 +131,7 @@ class BlockTestCase extends DrupalWebTestCase {
     $block_admin = $this->drupalCreateUser(array('administer blocks'));
     $this->drupalLogin($block_admin);
     $this->drupalGet('admin/structure/block/manage/block/' . $bid . '/configure');
-    $this->assertNoText(t('Block body'));
+    $this->assertFieldByXPath("//textarea[@name='body[value]' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Body field contains denied message'));
     $this->drupalPost('admin/structure/block/manage/block/' . $bid . '/configure', array(), t('Save block'));
     $this->assertNoText(t('Ensure that each block description is unique.'));
 
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 1daf7e8de..a69d26031 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -849,6 +849,38 @@ function filter_process_format($element) {
     '#weight' => 0,
   );
 
+  // Lastly, disallow editing of this field if the user is not allowed to use
+  // the stored and preselected text format. But only, if that format actually
+  // exists.
+  $all_formats = filter_formats();
+  if (!isset($formats[$element['#format']]) && isset($all_formats[$element['#format']])) {
+    // Overload default values into #value to make them unalterable.
+    $element['value']['#value'] = $element['value']['#default_value'];
+    $element['format']['format']['#value'] = $element['format']['format']['#default_value'];
+
+    // Prepend #pre_render callback to replace field value with user notice
+    // prior to rendering.
+    if (!isset($element['value']['#pre_render'])) {
+      $element['value']['#pre_render'] = array();
+    }
+    array_unshift($element['value']['#pre_render'], 'filter_form_access_denied');
+
+    // Cosmetic adjustments.
+    if (isset($element['value']['#rows'])) {
+      $element['value']['#rows'] = 3;
+    }
+    $element['value']['#disabled'] = TRUE;
+    $element['value']['#resizable'] = FALSE;
+
+    // Hide the text format selector and any other child element (such as text
+    // field's summary).
+    foreach (element_children($element) as $key) {
+      if ($key != 'value') {
+        $element[$key]['#access'] = FALSE;
+      }
+    }
+  }
+
   return $element;
 }
 
@@ -885,6 +917,22 @@ function filter_form_after_build($element, &$form_state) {
 }
 
 /**
+ * #pre_render callback for #type 'text_format' to hide field value from prying eyes.
+ *
+ * To not break form processing and previews if a user does not have access to a
+ * stored text format, the expanded form elements in filter_process_format() are
+ * forced to take over the stored #default_values for 'value' and 'format'.
+ * However, to prevent the unfiltered, original #value from being displayed to
+ * the user, we replace it with a friendly notice here.
+ *
+ * @see filter_process_format()
+ */
+function filter_form_access_denied($element) {
+  $element['#value'] = t('This field has been disabled because you do not have sufficient permissions to edit it.');
+  return $element;
+}
+
+/**
  * Render a text format-enabled form element.
  *
  * @param $variables
diff --git a/modules/filter/filter.test b/modules/filter/filter.test
index b9e3f760a..7a26a72db 100644
--- a/modules/filter/filter.test
+++ b/modules/filter/filter.test
@@ -395,7 +395,7 @@ class FilterAdminTestCase extends DrupalWebTestCase {
   }
 }
 
-class FilterAccessTestCase extends DrupalWebTestCase {
+class FilterFormatAccessTestCase extends DrupalWebTestCase {
   protected $admin_user;
   protected $web_user;
   protected $allowed_format;
@@ -403,8 +403,8 @@ class FilterAccessTestCase extends DrupalWebTestCase {
 
   public static function getInfo() {
     return array(
-      'name' => 'Filter access functionality',
-      'description' => 'Test the filter access system.',
+      'name' => 'Filter format access',
+      'description' => 'Tests access to text formats.',
       'group' => 'Filter',
     );
   }
@@ -412,8 +412,15 @@ class FilterAccessTestCase extends DrupalWebTestCase {
   function setUp() {
     parent::setUp();
 
+    $this->full_html_format = db_query_range('SELECT * FROM {filter_format} WHERE name = :name', 0, 1, array(':name' => 'Full HTML'))->fetchObject();
+
     // Create two text formats and grant a regular user access to one of them.
-    $this->admin_user = $this->drupalCreateUser(array('administer filters'));
+    $this->admin_user = $this->drupalCreateUser(array(
+      'administer filters',
+      'create page content',
+      'edit any page content',
+      filter_permission_name($this->full_html_format),
+    ));
     $this->drupalLogin($this->admin_user);
     $formats = array();
     for ($i = 0; $i < 2; $i++) {
@@ -424,7 +431,11 @@ class FilterAccessTestCase extends DrupalWebTestCase {
       $formats[] = filter_format_load($format_id);
     }
     list($this->allowed_format, $this->disallowed_format) = $formats;
-    $this->web_user = $this->drupalCreateUser(array('create page content', filter_permission_name($this->allowed_format)));
+
+    $this->web_user = $this->drupalCreateUser(array(
+      'create page content',
+      filter_permission_name($this->allowed_format),
+    ));
   }
 
   function testFormatPermissions() {
@@ -475,6 +486,61 @@ class FilterAccessTestCase extends DrupalWebTestCase {
   }
 
   /**
+   * Test editing a page using a disallowed text format.
+   *
+   * Verifies that a regular user is able to edit a page, but is not allowed to
+   * change the fields which use an inaccessible text format.
+   */
+  function testFormatWidgetPermissions() {
+    $langcode = LANGUAGE_NONE;
+    $title_key = "title";
+    $body_value_key = "body[$langcode][0][value]";
+    $body_format_key = "body[$langcode][0][format]";
+
+    // Create node to edit.
+    $this->drupalLogin($this->admin_user);
+    $edit = array();
+    $edit['title'] = $this->randomName(8);
+    $edit[$body_value_key] = $this->randomName(16);
+    $edit[$body_format_key] = $this->full_html_format->format;
+    $this->drupalPost('node/add/page', $edit, t('Save'));
+    $node = $this->drupalGetNodeByTitle($edit['title']);
+
+    // Try to edit with a less privileged user.
+    $this->moderator = $this->drupalCreateUser(array(
+      'edit any page content',
+      'create page content',
+    ));
+    $this->drupalLogin($this->moderator);
+    $this->drupalGet('node/' . $node->nid);
+    $this->clickLink(t('Edit'));
+
+    // Verify that body field is read-only and contains replacement value.
+    $this->assertFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Text format access denied message found.'));
+
+    // Verify that title can be changed, but preview displays original body.
+    $new_edit = array();
+    $new_edit['title'] = $this->randomName(8);
+    $this->drupalPost(NULL, $new_edit, t('Preview'));
+    $this->assertText($edit[$body_value_key], t('Old body found in preview.'));
+
+    // Save and verify that only the title was changed.
+    $this->drupalPost(NULL, $new_edit, t('Save'));
+    $this->assertNoText($edit['title'], t('Old title not found.'));
+    $this->assertText($new_edit['title'], t('New title found.'));
+    $this->assertText($edit[$body_value_key], t('Old body found.'));
+
+    // Delete the Full HTML text format.
+    filter_format_delete($this->full_html_format);
+    $this->resetFilterCaches();
+
+    // Verify that body field can be edited and a new format can be selected.
+    $this->drupalGet('node/' . $node->nid . '/edit');
+    $this->assertNoFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", NULL, t('Text format access denied message not found.'));
+    $this->assertFieldByXPath("//select[@name='$body_format_key']", NULL, t('Text format selector found.'));
+  }
+
+  /**
    * Returns the expected HTML for a particular text format selector.
    *
    * @param $format