Forbid view/edit/delete in ContactMessageAccessControlHandler

Created on 15 May 2017, over 7 years ago
Updated 20 January 2023, almost 2 years ago

Problem/Motivation

Follow-up for #2843755-19: EntityResource: Provide comprehensive test coverage for Message entity
Message entities are not stored but access handler use permission access site-wide contact form to grant access to this operations

Proposed resolution

Forbid access for unused operations.

Remaining tasks

- Review merge request
- Write a change record draft
- Review change record and mark RTBC

User interface changes

no

API changes

Yes, Access denied may occur when using a module such as contact_storage, which will need to add its own access handler. However an entity's handlers and access check providers are considered internal per Drupal backwards-compatibility and internal API .

Data model changes

no

📌 Task
Status

Needs work

Version

10.1

Component
Contact 

Last updated 27 days ago

Created by

🇫🇷France andypost

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !31312878513-10.1.x → (Closed) created by rpayanm
  • 🇮🇪Ireland lostcarpark

    So the errors are:

    Failed asserting that two strings are identical.
    --- Expected
    +++ Actual
    @@ @@
    -'{"message":"No route found for \u0022POST \/entity\/contact_message\u0022"}'
    +'{"message":"No route found for \u0022POST http:\/\/php-apache-jenkins-drupal-patches-158543\/subdirectory\/entity\/contact_message\u0022"}'

    I believe they are stemming from this line:

     $this->assertResourceErrorResponse(404, 'No route found for "POST ' . str_replace($this->baseUrl, '', $this->getEntityResourcePostUrl()->setAbsolute()->toString()) . '"', $response);
    

    In the following file:

    core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php

    Any thoughts on how to fix?

  • 🇺🇸United States smustgrave

    These are tricky but something with this test needs to be tweaked

    $this->assertResourceErrorResponse(404, 'No route found for "POST ' . str_replace($this->baseUrl, '', $this->getEntityResourcePostUrl()->setAbsolute()->toString()) . '"', $response);

    Was is the baseUrl being replace?

  • 🇮🇪Ireland lostcarpark

    Working on this as part of #ContributionWeekend2023.

  • 🇮🇪Ireland lostcarpark

    Any idea how I can run one specific test rather than a whole test group? That would hopefully make it easier to debug.

  • 🇺🇸United States smustgrave

    can probably setup your local to run tests and just run the one. Would have to google what you need to do to set that up though.

  • Pipeline finished with Failed
    about 1 year ago
    Total: 283s
    #40920
  • Merge request !51672878513-10.1.x → (Open) created by lostcarpark
  • Pipeline finished with Failed
    about 1 year ago
    Total: 892s
    #40921
  • Pipeline finished with Failed
    about 1 year ago
    Total: 656s
    #40992
  • Pipeline finished with Failed
    about 1 year ago
    Total: 164s
    #41209
  • Pipeline finished with Failed
    about 1 year ago
    Total: 671s
    #41226
  • Pipeline finished with Success
    about 1 year ago
    Total: 701s
    #41408
  • 🇮🇪Ireland lostcarpark

    I think !3131 can be closed, but I didn't create it, so I don't have permission to close it.

  • 🇮🇪Ireland lostcarpark

    Tests are now passing on !5167.

    Turned out trying to remove the base path from the URL when calling assertResourceErrorResponse was the wrong way to go. Compared to similar checks elsewhere in core and figured out I could remove the replace from this test. This also meant the setting of basePath could be removed from setUp.

  • Status changed to Needs review about 1 year ago
  • 🇮🇪Ireland lostcarpark

    Tests are now passing, so moving to needs review.

  • Pipeline finished with Success
    about 1 year ago
    Total: 620s
    #41582
  • Status changed to Needs work about 1 year ago
  • 🇺🇸United States smustgrave
    1) Drupal\Tests\contact\Kernel\MessageEntityTest::testMessageMethods
    Failed asserting that true is false.
    /builds/issue/drupal-2878513/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
    /builds/issue/drupal-2878513/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:55
    /builds/issue/drupal-2878513/core/modules/contact/tests/src/Kernel/MessageEntityTest.php:70
    /builds/issue/drupal-2878513/vendor/phpunit/phpunit/src/Framework/TestResult.php:728
    FAILURES!
    Tests: 1, Assertions: 23, Failures: 1.
    

    Rebased to run the test-only feature and got a failure as expected.

    Seems most feedback has been addressed only moving to NW for the change record.

    Good work!

  • Status changed to Needs review 2 months ago
  • 🇮🇪Ireland lostcarpark

    I have created a change record: https://www.drupal.org/node/3479476

    This is the first time I have created one, so I expect it will need some editing.

  • The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Pipeline finished with Failed
    2 months ago
    Total: 1547s
    #304517
  • 🇮🇪Ireland lostcarpark

    lostcarpark changed the visibility of the branch 2878513-10.1.x to hidden.

  • Pipeline finished with Failed
    2 months ago
    Total: 74s
    #304551
  • Pipeline finished with Failed
    2 months ago
    Total: 2243s
    #304577
  • Pipeline finished with Failed
    2 months ago
    Total: 107s
    #305432
  • Pipeline finished with Failed
    2 months ago
    Total: 524s
    #305437
  • Pipeline finished with Success
    2 months ago
    Total: 882s
    #305481
  • 🇮🇪Ireland lostcarpark

    The MessageTest function doTestPostIndividual() was failing as it expects different return codes in different situations, but the contact Message entity always denies access, so always returns a 403.

    I thought I could override this function with a custom function that expects 403, but this test is part of JsonAPI, not the contact module, so overriding the test causes other tests to fail.

    As we know the contact entity will always return a 403, this test isn't really relevant to the contact module, and we have other tests that verify the 403 return code. I have added a check for the Message entity, and if found, the test is skipped.

    I'm not certain this is the correct approach, so appreciate a review.

  • The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Pipeline finished with Success
    2 months ago
    Total: 1723s
    #305577
  • 🇮🇪Ireland lostcarpark

    Fixed return parameter issue flagged by Queue Bot.

  • 🇺🇸United States smustgrave

    Removing novice tag appears to be more advanced then that
    Was also tagged for change record which sitll needs to be needed.

Production build 0.71.5 2024