security update core+modules

2015-04-26 18:38:56 +02:00
parent 2f45ea820a
commit 7c96373038
1022 changed files with 30319 additions and 11259 deletions
--- a/sites/all/modules/ctools/plugins/relationships/book_parent.inc
+++ b/sites/all/modules/ctools/plugins/relationships/book_parent.inc
@@ -42,7 +42,9 @@ function ctools_book_parent_context($context, $conf) {
      // Load the node.
      $node = node_load($nid);
      // Generate the context.
-      return ctools_context_create('node', $node);
+      if (node_access('view', $node)) {
+        return ctools_context_create('node', $node);
+      }
    }
  }
  else {
--- a/sites/all/modules/ctools/plugins/relationships/entity_from_field.inc
+++ b/sites/all/modules/ctools/plugins/relationships/entity_from_field.inc
@@ -154,6 +154,11 @@ function ctools_entity_from_field_get_children($parent_plugin, $parent) {
 * Return a new context based on an existing context.
 */
 function ctools_entity_from_field_context($context, $conf) {
+  // Perform access check on current logged in user.
+  global $user;
+  // Clone user object so account can be passed by value to access callback.
+  $account = clone $user;
+
  $delta = !empty($conf['delta']) ? intval($conf['delta']) : 0;
  $plugin = $conf['name'];
  list($plugin, $plugin_name) = explode(':', $plugin);
@@ -173,11 +178,20 @@ function ctools_entity_from_field_context($context, $conf) {
      if (isset($items[$delta])) {
        ctools_include('fields');
        $to_entity_info = entity_get_info($to_entity);
+
        $plugin_info = ctools_get_relationship($conf['name']);
        $to_entity_id = $items[$delta][$plugin_info['source key']];
+        $loaded_to_entity = entity_load($to_entity, array($to_entity_id));
+        $loaded_to_entity = array_shift($loaded_to_entity);

-        // Send it to ctools.
-        return ctools_context_create('entity:' . $to_entity, $to_entity_id);
+        // Pass current user account and entity type to access callback.
+        if (function_exists($to_entity_info['access callback']) && !call_user_func($to_entity_info['access callback'], 'view', $loaded_to_entity, $account, $to_entity)) {
+          return ctools_context_create_empty('entity:' . $to_entity, NULL);
+        }
+        else {
+          // Send it to ctools.
+          return ctools_context_create('entity:' . $to_entity, $to_entity_id);
+        }
      }
      else {
        // In case that delta was empty.
--- a/sites/all/modules/ctools/plugins/relationships/terms_from_node.inc
+++ b/sites/all/modules/ctools/plugins/relationships/terms_from_node.inc
@@ -35,7 +35,7 @@ function ctools_terms_from_node_context($context, $conf) {
  $fields = field_info_instances('node', $node->type);
  foreach ($fields as $name => $info) {
    $field_info = field_info_field($name);
-    if ($field_info['type'] == 'taxonomy_term_reference' && (empty($conf['vocabulary']) || $conf['vocabulary'][$field_info['settings']['allowed_values'][0]['vocabulary']])) {
+    if ($field_info['type'] == 'taxonomy_term_reference' && (empty($conf['vocabulary']) || !empty($conf['vocabulary'][$field_info['settings']['allowed_values'][0]['vocabulary']]))) {
      $items = field_get_items('node', $node, $name);
      if (is_array($items)) {
        foreach ($items as $item) {