From 69f8d4b664d94851ce9da6e076d3573852fbdac3 Mon Sep 17 00:00:00 2001
From: Chi <Chi@556138.no-reply.drupal.org>
Date: Sun, 30 Apr 2017 09:36:36 +0300
Subject: [PATCH] Added entity access check.

---
 src/TwigExtension.php                         | 63 ++++++++++++-------
 tests/src/Functional/TwigTweakTest.php        |  2 +-
 .../install/block.block.powered_by_drupal.yml | 16 -----
 .../templates/twig-tweak-test.html.twig       |  2 +-
 4 files changed, 44 insertions(+), 39 deletions(-)
 delete mode 100644 tests/twig_tweak_test/config/install/block.block.powered_by_drupal.yml

diff --git a/src/TwigExtension.php b/src/TwigExtension.php
index 4b84ce8..9481f1e 100644
--- a/src/TwigExtension.php
+++ b/src/TwigExtension.php
@@ -5,6 +5,7 @@ namespace Drupal\twig_tweak;
 use Drupal\Core\Block\TitleBlockPluginInterface;
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Controller\TitleResolverInterface;
+use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Drupal\Core\Form\FormBuilderInterface;
 use Drupal\Core\Menu\MenuLinkTreeInterface;
@@ -176,8 +177,10 @@ class TwigExtension extends \Twig_Extension {
    */
   public function drupalBlock($id) {
     $block = $this->entityTypeManager->getStorage('block')->load($id);
-    return $block ?
-      $this->entityTypeManager->getViewBuilder('block')->view($block) : '';
+    if ($block && $this->entityAccess($block)) {
+      return $this->entityTypeManager->getViewBuilder('block')->view($block);
+    }
+    return NULL;
   }
 
   /**
@@ -201,20 +204,19 @@ class TwigExtension extends \Twig_Extension {
     $view_builder = $this->entityTypeManager->getViewBuilder('block');
 
     $build = [];
+
     /* @var $blocks \Drupal\block\BlockInterface[] */
     foreach ($blocks as $id => $block) {
-      // Should the block be displayed? (follow rules from block layout page).
-      if (!$block->access('view')) {
-        continue;
-      }
-      $block_plugin = $block->getPlugin();
-      if ($block_plugin instanceof TitleBlockPluginInterface) {
-        $request = $this->requestStack->getCurrentRequest();
-        if ($route = $request->attributes->get(RouteObjectInterface::ROUTE_OBJECT)) {
-          $block_plugin->setTitle($this->titleResolver->getTitle($request, $route));
+      if ($this->entityAccess($block)) {
+        $block_plugin = $block->getPlugin();
+        if ($block_plugin instanceof TitleBlockPluginInterface) {
+          $request = $this->requestStack->getCurrentRequest();
+          if ($route = $request->attributes->get(RouteObjectInterface::ROUTE_OBJECT)) {
+            $block_plugin->setTitle($this->titleResolver->getTitle($request, $route));
+          }
         }
+        $build[$id] = $view_builder->view($block);
       }
-      $build[$id] = $view_builder->view($block);
     }
 
     return $build;
@@ -240,7 +242,7 @@ class TwigExtension extends \Twig_Extension {
     $entity = $id ?
       $this->entityTypeManager->getStorage($entity_type)->load($id) :
       $this->routeMatch->getParameter($entity_type);
-    if ($entity) {
+    if ($entity && $this->entityAccess($entity)) {
       $render_controller = $this->entityTypeManager->getViewBuilder($entity_type);
       return $render_controller->view($entity, $view_mode, $langcode);
     }
@@ -265,14 +267,16 @@ class TwigExtension extends \Twig_Extension {
    *   A render array for the field or NULL if the value does not exist.
    */
   public function drupalField($field_name, $entity_type, $id = NULL, $view_mode = 'default', $langcode = NULL) {
-    $entity = $id ?
-      $this->entityTypeManager->getStorage($entity_type)->load($id) :
-      $this->routeMatch->getParameter($entity_type);
-    if ($langcode && $entity->hasTranslation($langcode)) {
-      $entity = $entity->getTranslation($langcode);
-    }
-    if (isset($entity->{$field_name})) {
-      return $entity->{$field_name}->view($view_mode);
+    $entity = $id
+      ? $this->entityTypeManager->getStorage($entity_type)->load($id)
+      : $this->routeMatch->getParameter($entity_type);
+    if ($entity && $this->entityAccess($entity)) {
+      if ($langcode && $entity->hasTranslation($langcode)) {
+        $entity = $entity->getTranslation($langcode);
+      }
+      if (isset($entity->{$field_name})) {
+        return $entity->{$field_name}->view($view_mode);
+      }
     }
     return NULL;
   }
@@ -492,4 +496,21 @@ class TwigExtension extends \Twig_Extension {
     return $output;
   }
 
+  /**
+   * Checks view access to a given entity.
+   *
+   * @param \Drupal\Core\Entity\EntityInterface $entity
+   *    Entity to check access.
+   *
+   * @return bool
+   *   The access check result.
+   *
+   * @TODO Remove "check_access" option in 9.x.
+   */
+  protected function entityAccess(EntityInterface $entity) {
+    // Prior version 8.x-1.7 entity access was not checked. The "check_access"
+    // option provides a workaround for possible BC issues.
+    return !Settings::get('twig_tweak_check_access', TRUE) || $entity->access('view');
+  }
+
 }
diff --git a/tests/src/Functional/TwigTweakTest.php b/tests/src/Functional/TwigTweakTest.php
index 172a406..dd03dfa 100644
--- a/tests/src/Functional/TwigTweakTest.php
+++ b/tests/src/Functional/TwigTweakTest.php
@@ -66,7 +66,7 @@ class TwigTweakTest extends BrowserTestBase {
 
     // Test block.
     $xpath = '//div[@class = "tt-block"]';
-    $xpath .= '/div[@id="block-powered-by-drupal"]/span[contains(., "Powered by Drupal")]';
+    $xpath .= '/div[@id="block-classy-powered-by-drupal"]/span[contains(., "Powered by Drupal")]';
     $this->assertByXpath($xpath);
 
     // Test region.
diff --git a/tests/twig_tweak_test/config/install/block.block.powered_by_drupal.yml b/tests/twig_tweak_test/config/install/block.block.powered_by_drupal.yml
deleted file mode 100644
index 59a2f51..0000000
--- a/tests/twig_tweak_test/config/install/block.block.powered_by_drupal.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-langcode: en
-status: true
-dependencies:
-  module:
-    - system
-id: powered_by_drupal
-region: main
-weight: 10
-provider: null
-plugin: system_powered_by_block
-settings:
-  id: system_powered_by_block
-  label: 'Powered by Drupal'
-  provider: system
-  label_display: '0'
-visibility: {  }
diff --git a/tests/twig_tweak_test/templates/twig-tweak-test.html.twig b/tests/twig_tweak_test/templates/twig-tweak-test.html.twig
index 96a59f0..c45610c 100644
--- a/tests/twig_tweak_test/templates/twig-tweak-test.html.twig
+++ b/tests/twig_tweak_test/templates/twig-tweak-test.html.twig
@@ -19,7 +19,7 @@
   <div class="tt-view-default">{{ drupal_view('twig_tweak_test') }}</div>
   <div class="tt-view-page_1">{{ drupal_view('twig_tweak_test', 'page_1') }}</div>
   <div class="tt-view-page_1-with-argument">{{ drupal_view('twig_tweak_test', 'page_1', 1) }}</div>
-  <div class="tt-block">{{ drupal_block('powered_by_drupal') }}</div>
+  <div class="tt-block">{{ drupal_block('classy_powered_by_drupal') }}</div>
   <div class="tt-region">{{ drupal_region('sidebar_first') }}</div>
   <div class="tt-entity-default">{{ drupal_entity('node', 1) }}</div>
   <div class="tt-entity-teaser">{{ drupal_entity('node', 1, 'teaser') }}</div>