Issue #3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation

(cherry picked from commit 73d9d9b)

Author: alexpott

modules/content_moderation/src/Plugin/Validation/Constraint/ModerationStateConstraintValidator.php

@@ -123,7 +123,7 @@ public function validate($value, Constraint $constraint) {
     else {
       // If we're sure the transition exists, make sure the user has permission
       // to use it.
-      if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser)) {
+      if (!$this->stateTransitionValidation->isTransitionValid($workflow, $original_state, $new_state, $this->currentUser, $entity)) {
         $this->context->addViolation($constraint->invalidTransitionAccess, [
           '%original_state' => $original_state->label(),
           '%new_state' => $new_state->label(),

modules/content_moderation/src/StateTransitionValidation.php

@@ -52,7 +52,10 @@ public function getValidTransitions(ContentEntityInterface $entity, AccountInter
   /**
    * {@inheritdoc}
    */
-  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user) {
+  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL) {
+    if ($entity === NULL) {
+      @trigger_error(sprintf('Omitting the $entity parameter from %s is deprecated and will be required in Drupal 9.0.0.', __METHOD__), E_USER_DEPRECATED);
+    }
     $transition = $workflow->getTypePlugin()->getTransitionFromStateToState($original_state->id(), $new_state->id());
     return $user->hasPermission('use ' . $workflow->id() . ' transition ' . $transition->id());
   }

modules/content_moderation/src/StateTransitionValidationInterface.php

@@ -36,10 +36,13 @@ public function getValidTransitions(ContentEntityInterface $entity, AccountInter
    *   The new workflow state.
    * @param \Drupal\Core\Session\AccountInterface $user
    *   The user to validate.
+   * @param \Drupal\Core\Entity\ContentEntityInterface $entity
+   *   (optional) The entity to be transitioned. Omitting this parameter is
+   *   deprecated and will be required in Drupal 9.0.0.
    *
    * @return bool
    *   Returns TRUE if transition is valid, otherwise FALSE.
    */
-  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user);
+  public function isTransitionValid(WorkflowInterface $workflow, StateInterface $original_state, StateInterface $new_state, AccountInterface $user, ContentEntityInterface $entity = NULL);
 
 }

modules/content_moderation/tests/src/Unit/StateTransitionValidationTest.php

@@ -10,6 +10,7 @@
 use Drupal\Tests\UnitTestCase;
 use Drupal\workflow_type_test\Plugin\WorkflowType\TestType;
 use Drupal\workflows\Entity\Workflow;
+use Drupal\workflows\State;
 use Drupal\workflows\WorkflowTypeManager;
 use Prophecy\Argument;
 
@@ -19,6 +20,38 @@
  */
 class StateTransitionValidationTest extends UnitTestCase {
 
+  /**
+   * A test workflow.
+   *
+   * @var \Drupal\workflows\WorkflowInterface
+   */
+  protected $workflow;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    // Create a container so that the plugin manager and workflow type can be
+    // mocked.
+    $container = new ContainerBuilder();
+    $workflow_manager = $this->prophesize(WorkflowTypeManager::class);
+    $workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
+    $container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
+    \Drupal::setContainer($container);
+
+    $this->workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
+    $this->workflow
+      ->getTypePlugin()
+      ->addState('draft', 'draft')
+      ->addState('needs_review', 'needs_review')
+      ->addState('published', 'published')
+      ->addTransition('draft', 'draft', ['draft'], 'draft')
+      ->addTransition('review', 'review', ['draft'], 'needs_review')
+      ->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
+  }
+
   /**
    * Verifies user-aware transition validation.
    *
@@ -47,7 +80,10 @@ public function testUserSensitiveValidTransitions($from_id, $to_id, $permission,
     $entity->moderation_state = new \stdClass();
     $entity->moderation_state->value = $from_id;
 
-    $validator = new StateTransitionValidation($this->setUpModerationInformation($entity));
+    $moderation_info = $this->prophesize(ModerationInformationInterface::class);
+    $moderation_info->getWorkflowForEntity($entity)->willReturn($this->workflow);
+
+    $validator = new StateTransitionValidation($moderation_info->reveal());
     $has_transition = FALSE;
     foreach ($validator->getValidTransitions($entity, $user->reveal()) as $transition) {
       if ($transition->to()->id() === $to_id) {
@@ -58,27 +94,17 @@ public function testUserSensitiveValidTransitions($from_id, $to_id, $permission,
     $this->assertSame($result, $has_transition);
   }
 
-  protected function setUpModerationInformation(ContentEntityInterface $entity) {
-    // Create a container so that the plugin manager and workflow type can be
-    // mocked.
-    $container = new ContainerBuilder();
-    $workflow_manager = $this->prophesize(WorkflowTypeManager::class);
-    $workflow_manager->createInstance('content_moderation', Argument::any())->willReturn(new TestType([], '', []));
-    $container->set('plugin.manager.workflows.type', $workflow_manager->reveal());
-    \Drupal::setContainer($container);
-
-    $workflow = new Workflow(['id' => 'process', 'type' => 'content_moderation'], 'workflow');
-    $workflow
-      ->getTypePlugin()
-      ->addState('draft', 'draft')
-      ->addState('needs_review', 'needs_review')
-      ->addState('published', 'published')
-      ->addTransition('draft', 'draft', ['draft'], 'draft')
-      ->addTransition('review', 'review', ['draft'], 'needs_review')
-      ->addTransition('publish', 'publish', ['needs_review', 'published'], 'published');
+  /**
+   * @expectedDeprecation Omitting the $entity parameter from Drupal\content_moderation\StateTransitionValidation::isTransitionValid is deprecated and will be required in Drupal 9.0.0.
+   * @group legacy
+   */
+  public function testDeprecatedEntityParameter() {
     $moderation_info = $this->prophesize(ModerationInformationInterface::class);
-    $moderation_info->getWorkflowForEntity($entity)->willReturn($workflow);
-    return $moderation_info->reveal();
+    $state = new State($this->workflow->getTypePlugin(), 'draft', 'draft');
+    $user = $this->prophesize(AccountInterface::class);
+
+    $validator = new StateTransitionValidation($moderation_info->reveal());
+    $validator->isTransitionValid($this->workflow, $state, $state, $user->reveal());
   }
 
   /**