Security update for Core, with self-updated composer

[yaffs-website] / web / core / modules / system / src / DateFormatAccessControlHandler.php

diff --git a/web/core/modules/system/src/DateFormatAccessControlHandler.php b/web/core/modules/system/src/DateFormatAccessControlHandler.php
index c9cee601ec3896630c0b0d4a6a95720dd84c7549..e56fe92a46a0eb4c493126baf1c6301fc87ca4a9 100644 (file)
--- a/web/core/modules/system/src/DateFormatAccessControlHandler.php
+++ b/web/core/modules/system/src/DateFormatAccessControlHandler.php
@@ -14,18 +14,23 @@ use Drupal\Core\Session\AccountInterface;
  */
 class DateFormatAccessControlHandler extends EntityAccessControlHandler {
 
+  /**
+   * {@inheritdoc}
+   */
+  protected $viewLabelOperation = TRUE;
+
   /**
    * {@inheritdoc}
    */
   protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
-    // There are no restrictions on viewing a date format.
-    if ($operation == 'view') {
+    // There are no restrictions on viewing the label of a date format.
+    if ($operation === 'view label') {
       return AccessResult::allowed();
     }
     // Locked date formats cannot be updated or deleted.
     elseif (in_array($operation, ['update', 'delete'])) {
       if ($entity->isLocked()) {
-        return AccessResult::forbidden()->addCacheableDependency($entity);
+        return AccessResult::forbidden('The DateFormat config entity is locked.')->addCacheableDependency($entity);
       }
       else {
         return parent::checkAccess($entity, $operation, $account)->addCacheableDependency($entity);