security update core+modules

2015-04-26 18:38:56 +02:00
parent 2f45ea820a
commit 7c96373038
1022 changed files with 30319 additions and 11259 deletions
--- a/modules/menu/menu.admin.inc
+++ b/modules/menu/menu.admin.inc
@@ -395,7 +395,7 @@ function menu_edit_item_validate($form, &$form_state) {
    else {
      unset($item['options']['fragment']);
    }
-    if ($item['link_path'] != $parsed_link['path']) {
+    if (isset($parsed_link['path']) && $item['link_path'] != $parsed_link['path']) {
      $item['link_path'] = $parsed_link['path'];
    }
  }
@@ -512,8 +512,7 @@ function menu_delete_menu_page($menu) {
  // System-defined menus may not be deleted.
  $system_menus = menu_list_system_menus();
  if (isset($system_menus[$menu['menu_name']])) {
-    drupal_access_denied();
-    return;
+    return MENU_ACCESS_DENIED;
  }
  return drupal_get_form('menu_delete_menu_confirm', $menu);
 }
@@ -622,8 +621,7 @@ function menu_item_delete_page($item) {
  // Links defined via hook_menu may not be deleted. Updated items are an
  // exception, as they can be broken.
  if ($item['module'] == 'system' && !$item['updated']) {
-    drupal_access_denied();
-    return;
+    return MENU_ACCESS_DENIED;
  }
  return drupal_get_form('menu_item_delete_form', $item);
 }
--- a/modules/menu/menu.api.php
+++ b/modules/menu/menu.api.php
@@ -11,7 +11,7 @@
 */

 /**
- * Informs modules that a custom menu was created.
+ * Respond to a custom menu creation.
 *
 * This hook is used to notify modules that a custom menu has been created.
 * Contributed modules may use the information to perform actions based on the
@@ -34,7 +34,7 @@ function hook_menu_insert($menu) {
 }

 /**
- * Informs modules that a custom menu was updated.
+ * Respond to a custom menu update.
 *
 * This hook is used to notify modules that a custom menu has been updated.
 * Contributed modules may use the information to perform actions based on the
@@ -59,14 +59,14 @@ function hook_menu_update($menu) {
 }

 /**
- * Informs modules that a custom menu was deleted.
+ * Respond to a custom menu deletion.
 *
 * This hook is used to notify modules that a custom menu along with all links
 * contained in it (if any) has been deleted. Contributed modules may use the
 * information to perform actions based on the information entered into the menu
 * system.
 *
- * @param $link
+ * @param $menu
 *   An array representing a custom menu:
 *   - menu_name: The unique name of the custom menu.
 *   - title: The human readable menu title.
--- a/modules/menu/menu.info
+++ b/modules/menu/menu.info
@@ -5,3 +5,9 @@ version = VERSION
 core = 7.x
 files[] = menu.test
 configure = admin/structure/menu
+
+; Information added by Drupal.org packaging script on 2015-04-02
+version = "7.36"
+project = "drupal"
+datestamp = "1427943826"
+
--- a/modules/menu/menu.module
+++ b/modules/menu/menu.module
@@ -69,7 +69,7 @@ function menu_menu() {
    'title' => 'Parent menu items',
    'page callback' => 'menu_parent_options_js',
    'type' => MENU_CALLBACK,
-    'access arguments' => array(TRUE),
+    'access arguments' => array('administer menu'),
  );
  $items['admin/structure/menu/list'] = array(
    'title' => 'List menus',
--- a/modules/menu/menu.test
+++ b/modules/menu/menu.test
@@ -70,7 +70,7 @@ class MenuTestCase extends DrupalWebTestCase {
    $item['options']['attributes']['title']  = $description;
    menu_link_save($item);
    $saved_item = menu_link_load($item['mlid']);
-    $this->assertEqual($description, $saved_item['options']['attributes']['title'], t('Saving an existing link updates the description (title attribute)'));
+    $this->assertEqual($description, $saved_item['options']['attributes']['title'], 'Saving an existing link updates the description (title attribute)');
    $this->resetMenuLink($item, $old_title);
  }

@@ -111,14 +111,14 @@ class MenuTestCase extends DrupalWebTestCase {

    // Assert the new menu.
    $this->drupalGet('admin/structure/menu/manage/' . $menu_name . '/edit');
-    $this->assertRaw($title, t('Custom menu was added.'));
+    $this->assertRaw($title, 'Custom menu was added.');

    // Edit the menu.
    $new_title = $this->randomName(16);
    $menu['title'] = $new_title;
    menu_save($menu);
    $this->drupalGet('admin/structure/menu/manage/' . $menu_name . '/edit');
-    $this->assertRaw($new_title, t('Custom menu was edited.'));
+    $this->assertRaw($new_title, 'Custom menu was edited.');
  }

  /**
@@ -167,7 +167,7 @@ class MenuTestCase extends DrupalWebTestCase {
    $edit['blocks[menu_' . $menu_name . '][region]'] = 'sidebar_first';
    $this->drupalPost('admin/structure/block', $edit, t('Save blocks'));
    $this->assertResponse(200);
-    $this->assertText(t('The block settings have been updated.'), t('Custom menu block was enabled'));
+    $this->assertText(t('The block settings have been updated.'), 'Custom menu block was enabled');

    return menu_load($menu_name);
  }
@@ -184,11 +184,11 @@ class MenuTestCase extends DrupalWebTestCase {
    // Delete custom menu.
    $this->drupalPost("admin/structure/menu/manage/$menu_name/delete", array(), t('Delete'));
    $this->assertResponse(200);
-    $this->assertRaw(t('The custom menu %title has been deleted.', array('%title' => $title)), t('Custom menu was deleted'));
+    $this->assertRaw(t('The custom menu %title has been deleted.', array('%title' => $title)), 'Custom menu was deleted');
    $this->assertFalse(menu_load($menu_name), 'Custom menu was deleted');
    // Test if all menu links associated to the menu were removed from database.
    $result = db_query("SELECT menu_name FROM {menu_links} WHERE menu_name = :menu_name", array(':menu_name' => $menu_name))->fetchField();
-    $this->assertFalse($result, t('All menu links associated to the custom menu were deleted.'));
+    $this->assertFalse($result, 'All menu links associated to the custom menu were deleted.');
  }

  /**
@@ -266,13 +266,13 @@ class MenuTestCase extends DrupalWebTestCase {
    $item = $this->addMenuLink(0, $path);

    $this->drupalGet('admin/structure/menu/item/' . $item['mlid'] . '/edit');
-    $this->assertFieldByName('link_path', $path, t('Path is found with both query and fragment.'));
+    $this->assertFieldByName('link_path', $path, 'Path is found with both query and fragment.');

    // Now change the path to something without query and fragment.
    $path = 'node';
    $this->drupalPost('admin/structure/menu/item/' . $item['mlid'] . '/edit', array('link_path' => $path), t('Save'));
    $this->drupalGet('admin/structure/menu/item/' . $item['mlid'] . '/edit');
-    $this->assertFieldByName('link_path', $path, t('Path no longer has query or fragment.'));
+    $this->assertFieldByName('link_path', $path, 'Path no longer has query or fragment.');
  }

  /**
@@ -318,7 +318,7 @@ class MenuTestCase extends DrupalWebTestCase {
   * @param string $menu_name Menu name.
   */
  function addInvalidMenuLink($menu_name = 'navigation') {
-    foreach (array('-&-', 'admin/people/permissions') as $link_path) {
+    foreach (array('-&-', 'admin/people/permissions', '#') as $link_path) {
      $edit = array(
        'link_path' => $link_path,
        'link_title' => 'title',
@@ -350,7 +350,7 @@ class MenuTestCase extends DrupalWebTestCase {
      // Verify menu link link.
      $this->clickLink($title);
      $title = $parent_node->title;
-      $this->assertTitle(t("@title | Drupal", array('@title' => $title)), t('Parent menu link link target was correct'));
+      $this->assertTitle(t("@title | Drupal", array('@title' => $title)), 'Parent menu link link target was correct');
    }

    // Verify menu link.
@@ -360,7 +360,7 @@ class MenuTestCase extends DrupalWebTestCase {
    // Verify menu link link.
    $this->clickLink($title);
    $title = $item_node->title;
-    $this->assertTitle(t("@title | Drupal", array('@title' => $title)), t('Menu link link target was correct'));
+    $this->assertTitle(t("@title | Drupal", array('@title' => $title)), 'Menu link link target was correct');
  }

  /**
@@ -412,7 +412,7 @@ class MenuTestCase extends DrupalWebTestCase {
    // Reset menu link.
    $this->drupalPost("admin/structure/menu/item/$mlid/reset", array(), t('Reset'));
    $this->assertResponse(200);
-    $this->assertRaw(t('The menu link was reset to its default settings.'), t('Menu link was reset'));
+    $this->assertRaw(t('The menu link was reset to its default settings.'), 'Menu link was reset');

    // Verify menu link.
    $this->drupalGet('');
@@ -432,7 +432,7 @@ class MenuTestCase extends DrupalWebTestCase {
    // Delete menu link.
    $this->drupalPost("admin/structure/menu/item/$mlid/delete", array(), t('Confirm'));
    $this->assertResponse(200);
-    $this->assertRaw(t('The menu link %title has been deleted.', array('%title' => $title)), t('Menu link was deleted'));
+    $this->assertRaw(t('The menu link %title has been deleted.', array('%title' => $title)), 'Menu link was deleted');

    // Verify deletion.
    $this->drupalGet('');
@@ -509,10 +509,27 @@ class MenuTestCase extends DrupalWebTestCase {
      $item['link_path'] .= '#' . $options['fragment'];
    }
    foreach ($expected_item as $key => $value) {
-      $this->assertEqual($item[$key], $value, t('Parameter %key had expected value.', array('%key' => $key)));
+      $this->assertEqual($item[$key], $value, format_string('Parameter %key had expected value.', array('%key' => $key)));
    }
  }

+  /**
+   * Test administrative users other than user 1 can access the menu parents AJAX callback.
+   */
+  public function testMenuParentsJsAccess() {
+    $admin = $this->drupalCreateUser(array('administer menu'));
+    $this->drupalLogin($admin);
+    // Just check access to the callback overall, the POST data is irrelevant.
+    $this->drupalGetAJAX('admin/structure/menu/parents');
+    $this->assertResponse(200);
+
+    // Do standard user tests.
+    // Login the user.
+    $this->drupalLogin($this->std_user);
+    $this->drupalGetAJAX('admin/structure/menu/parents');
+    $this->assertResponse(403);
+  }
+
  /**
   * Get standard menu link.
   */
@@ -537,21 +554,21 @@ class MenuTestCase extends DrupalWebTestCase {
    $this->drupalGet('admin/help/menu');
    $this->assertResponse($response);
    if ($response == 200) {
-      $this->assertText(t('Menu'), t('Menu help was displayed'));
+      $this->assertText(t('Menu'), 'Menu help was displayed');
    }

    // View menu build overview node.
    $this->drupalGet('admin/structure/menu');
    $this->assertResponse($response);
    if ($response == 200) {
-      $this->assertText(t('Menus'), t('Menu build overview node was displayed'));
+      $this->assertText(t('Menus'), 'Menu build overview node was displayed');
    }

    // View navigation menu customization node.
    $this->drupalGet('admin/structure/menu/manage/navigation');
        $this->assertResponse($response);
    if ($response == 200) {
-      $this->assertText(t('Navigation'), t('Navigation menu node was displayed'));
+      $this->assertText(t('Navigation'), 'Navigation menu node was displayed');
    }

    // View menu edit node.
@@ -559,21 +576,21 @@ class MenuTestCase extends DrupalWebTestCase {
    $this->drupalGet('admin/structure/menu/item/' . $item['mlid'] . '/edit');
    $this->assertResponse($response);
    if ($response == 200) {
-      $this->assertText(t('Edit menu item'), t('Menu edit node was displayed'));
+      $this->assertText(t('Edit menu item'), 'Menu edit node was displayed');
    }

    // View menu settings node.
    $this->drupalGet('admin/structure/menu/settings');
    $this->assertResponse($response);
    if ($response == 200) {
-      $this->assertText(t('Menus'), t('Menu settings node was displayed'));
+      $this->assertText(t('Menus'), 'Menu settings node was displayed');
    }

    // View add menu node.
    $this->drupalGet('admin/structure/menu/add');
    $this->assertResponse($response);
    if ($response == 200) {
-      $this->assertText(t('Menus'), t('Add menu node was displayed'));
+      $this->assertText(t('Menus'), 'Add menu node was displayed');
    }
  }
 }
@@ -654,7 +671,7 @@ class MenuNodeTestCase extends DrupalWebTestCase {
    $this->assertLink($node_title);

    $this->drupalGet('node/' . $node->nid . '/edit');
-    $this->assertOptionSelected('edit-menu-weight', 17, t('Menu weight correct in edit form'));
+    $this->assertOptionSelected('edit-menu-weight', 17, 'Menu weight correct in edit form');

    // Edit the node and remove the menu link.
    $edit = array(
@@ -675,11 +692,11 @@ class MenuNodeTestCase extends DrupalWebTestCase {

    // Assert that disabled Management menu is not shown on the node/$nid/edit page.
    $this->drupalGet('node/' . $node->nid . '/edit');
-    $this->assertText('Provide a menu link', t('Link in not allowed menu not shown in node edit form'));
+    $this->assertText('Provide a menu link', 'Link in not allowed menu not shown in node edit form');
    // Assert that the link is still in the management menu after save.
    $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
    $link = menu_link_load($item['mlid']);
-    $this->assertTrue($link, t('Link in not allowed menu still exists after saving node'));
+    $this->assertTrue($link, 'Link in not allowed menu still exists after saving node');

    // Move the menu link back to the Navigation menu.
    $item['menu_name'] = 'navigation';