SA-CORE-2019-008 by dwbotsch, xjm, mlhess, cilefen, greggles, drumm, …

…alexpott, amateescu

(cherry picked from commit 9f9d61a5dafd83e3bc9ba3fdf5180e15dec6e542)

modules/workspaces/src/EntityAccess.php

@@ -124,10 +124,8 @@ protected function bypassAccessResult(AccountInterface $account) {
     // to ALL THE THINGS! That's why this is a dangerous permission.
     $active_workspace = $this->workspaceManager->getActiveWorkspace();
 
-    $owner_has_access = AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())
-      ->cachePerUser()->addCacheableDependency($active_workspace);
-    $access_bypass = AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace');
-    return $owner_has_access->orIf($access_bypass);
+    return AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace)
+      ->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace'));
   }
 
 }

modules/workspaces/tests/src/Functional/WorkspaceBypassTest.php

@@ -55,10 +55,10 @@ public function testBypassOwnWorkspace() {
     $this->drupalLogin($lombardi);
     $this->switchToWorkspace($bears);
 
-    // Editor 2 should be able to create and edit any node because of the
-    // assigned bypass permission.
+    // Editor 2 has the bypass permission but does not own the workspace and so,
+    // should not be able to create and edit any node.
     $this->drupalGet('/node/' . $ditka_bears_node_id . '/edit');
-    $this->assertSession()->statusCodeEquals(200);
+    $this->assertSession()->statusCodeEquals(403);
   }
 
 }

modules/workspaces/workspaces.post_update.php

@@ -0,0 +1,12 @@
+<?php
+
+/**
+ * @file
+ * Post update functions for the Workspaces module.
+ */
+
+/**
+ * Clear caches due to access changes.
+ */
+function workspaces_post_update_access_clear_caches() {
+}