Security update for Core, with self-updated composer

[yaffs-website] / web / core / modules / comment / src / Controller / CommentController.php

diff --git a/web/core/modules/comment/src/Controller/CommentController.php b/web/core/modules/comment/src/Controller/CommentController.php
index c834fa67a1cc818fd5f347105b15aa321549f2d6..560233889cccc69f6e042f56a2d2ff927d2fd846 100644 (file)
--- a/web/core/modules/comment/src/Controller/CommentController.php
+++ b/web/core/modules/comment/src/Controller/CommentController.php
@@ -279,16 +279,19 @@ class CommentController extends ControllerBase {
     // Check if the user has the proper permissions.
     $access = AccessResult::allowedIfHasPermission($account, 'post comments');
 
+    // If commenting is open on the entity.
     $status = $entity->{$field_name}->status;
     $access = $access->andIf(AccessResult::allowedIf($status == CommentItemInterface::OPEN)
-      ->addCacheableDependency($entity));
+      ->addCacheableDependency($entity))
+      // And if user has access to the host entity.
+      ->andIf(AccessResult::allowedIf($entity->access('view')));
 
     // $pid indicates that this is a reply to a comment.
     if ($pid) {
       // Check if the user has the proper permissions.
       $access = $access->andIf(AccessResult::allowedIfHasPermission($account, 'access comments'));
 
-      /// Load the parent comment.
+      // Load the parent comment.
       $comment = $this->entityManager()->getStorage('comment')->load($pid);
       // Check if the parent comment is published and belongs to the entity.
       $access = $access->andIf(AccessResult::allowedIf($comment && $comment->isPublished() && $comment->getCommentedEntityId() == $entity->id()));