BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission

Issue created by @acbramley
Merge request !5059Allow filtering unpublished blocks with access block library permission → (Closed) created by acbramley
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update 8 months ago
30,420 pass
Status changed to Needs review 8 months ago12:47am 20 October 2023
Comment 8 months ago →
🇦🇺Australia acbramley
Confirmed this fixes testCollection failures in 🐛 Information disclosure access bypass for revision log fields when the JSON:API module is enabled Fixed , I'm guessing we'll need additional tests though?
Comment 8 months ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
If we remove 'administer block content' from the list in the test and this still passes that would pass as test coverage right?
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
54:46
51:43
Running
Comment 8 months ago →
🇦🇺Australia acbramley
Yes, great point! So just porting the test's permissions changes from 3395404 into here.
First commit to issue fork.
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update 8 months ago
30,425 pass
Status changed to RTBC 8 months ago3:59pm 20 October 2023

🇺🇸United States smustgrave

Only rebased to run test-only feature

1) Drupal\Tests\jsonapi\Functional\BlockContentTest::testCollection
The 'data' member was not as expected.
Failed asserting that two arrays are equal.
--- Expected
+++ Actual
@@ @@
 Array (
-    0 => Array (...)
 )
/build

Know doesn't fully help without the comparison but test did correctly fail.

Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update 8 months ago
30,426 pass
Comment 8 months ago →
🇦🇺Australia acbramley
@smustgrave thank you! And yes, the failure message is shocking for those tests 😅. Have a look at 📌 Tests extending jsonapi's ResourceTestBase are extremely hard to debug/maintain/deal with Active for my frustrations

Comment 8 months ago →

System Message

longwave → committed 0edb2442 on 10.1.x

Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API...

Comment 8 months ago →

System Message

longwave → committed 30ac531e on 10.2.x

Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API...

Comment 8 months ago →

System Message

longwave → committed 257191b8 on 11.x

Issue #3395431 by acbramley, smustgrave, larowlan: BlockContent JSON:API...

Status changed to Fixed 8 months ago8:25am 23 October 2023
Comment 8 months ago →
🇬🇧United Kingdom longwave UK
Backported to 10.1.x as a bug fix to assist with a future security improvement.

Committed and pushed 257191b8a2 to 11.x and 30ac531e74 to 10.2.x and 0edb2442ad to 10.1.x. Thanks!
Comment 8 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.
Comment 6 months ago →
System Message
acbramley → closed merge request !5059

BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission

Problem/Motivation

Steps to reproduce

Proposed resolution

Merge Requests

!5059BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission
Closed

Comments & Activities

BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission

Problem/Motivation

Steps to reproduce

Proposed resolution

Merge Requests

!5059BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permissionClosed

Comments & Activities

!5059BlockContent JSON:API collection endpoint doesn't return unpublished block when filtered without administer block content permission
Closed