|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\Tests\node\Functional;
|
|
Chris@0
|
4
|
|
Chris@0
|
5 /**
|
|
Chris@0
|
6 * Tests that node access queries are properly altered by the node module.
|
|
Chris@0
|
7 *
|
|
Chris@0
|
8 * @group node
|
|
Chris@0
|
9 */
|
|
Chris@0
|
10 class NodeQueryAlterTest extends NodeTestBase {
|
|
Chris@0
|
11
|
|
Chris@0
|
12 /**
|
|
Chris@0
|
13 * Modules to enable.
|
|
Chris@0
|
14 *
|
|
Chris@0
|
15 * @var array
|
|
Chris@0
|
16 */
|
|
Chris@0
|
17 public static $modules = ['node_access_test'];
|
|
Chris@0
|
18
|
|
Chris@0
|
19 /**
|
|
Chris@0
|
20 * User with permission to view content.
|
|
Chris@0
|
21 */
|
|
Chris@0
|
22 protected $accessUser;
|
|
Chris@0
|
23
|
|
Chris@0
|
24 /**
|
|
Chris@0
|
25 * User without permission to view content.
|
|
Chris@0
|
26 */
|
|
Chris@0
|
27 protected $noAccessUser;
|
|
Chris@0
|
28
|
|
Chris@0
|
29 protected function setUp() {
|
|
Chris@0
|
30 parent::setUp();
|
|
Chris@0
|
31
|
|
Chris@0
|
32 node_access_rebuild();
|
|
Chris@0
|
33
|
|
Chris@0
|
34 // Create some content.
|
|
Chris@0
|
35 $this->drupalCreateNode();
|
|
Chris@0
|
36 $this->drupalCreateNode();
|
|
Chris@0
|
37 $this->drupalCreateNode();
|
|
Chris@0
|
38 $this->drupalCreateNode();
|
|
Chris@0
|
39
|
|
Chris@0
|
40 // Create user with simple node access permission. The 'node test view'
|
|
Chris@0
|
41 // permission is implemented and granted by the node_access_test module.
|
|
Chris@0
|
42 $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']);
|
|
Chris@0
|
43 $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']);
|
|
Chris@0
|
44 $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']);
|
|
Chris@0
|
45 }
|
|
Chris@0
|
46
|
|
Chris@0
|
47 /**
|
|
Chris@0
|
48 * Tests 'node_access' query alter, for user with access.
|
|
Chris@0
|
49 *
|
|
Chris@0
|
50 * Verifies that a non-standard table alias can be used, and that a user with
|
|
Chris@0
|
51 * node access can view the nodes.
|
|
Chris@0
|
52 */
|
|
Chris@0
|
53 public function testNodeQueryAlterLowLevelWithAccess() {
|
|
Chris@0
|
54 // User with access should be able to view 4 nodes.
|
|
Chris@0
|
55 try {
|
|
Chris@0
|
56 $query = db_select('node', 'mytab')
|
|
Chris@0
|
57 ->fields('mytab');
|
|
Chris@0
|
58 $query->addTag('node_access');
|
|
Chris@0
|
59 $query->addMetaData('op', 'view');
|
|
Chris@0
|
60 $query->addMetaData('account', $this->accessUser);
|
|
Chris@0
|
61
|
|
Chris@0
|
62 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
63 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
|
|
Chris@0
|
64 }
|
|
Chris@0
|
65 catch (\Exception $e) {
|
|
Chris@0
|
66 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
67 }
|
|
Chris@0
|
68 }
|
|
Chris@0
|
69
|
|
Chris@0
|
70 /**
|
|
Chris@0
|
71 * Tests 'node_access' query alter with revision-enabled nodes.
|
|
Chris@0
|
72 */
|
|
Chris@0
|
73 public function testNodeQueryAlterWithRevisions() {
|
|
Chris@0
|
74 // Execute a query that only deals with the 'node_revision' table.
|
|
Chris@0
|
75 try {
|
|
Chris@0
|
76 $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery();
|
|
Chris@0
|
77 $result = $query
|
|
Chris@0
|
78 ->allRevisions()
|
|
Chris@0
|
79 ->execute();
|
|
Chris@0
|
80
|
|
Chris@0
|
81 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
|
|
Chris@0
|
82 }
|
|
Chris@0
|
83 catch (\Exception $e) {
|
|
Chris@0
|
84 $this->fail('Altered query is malformed');
|
|
Chris@0
|
85 }
|
|
Chris@0
|
86 }
|
|
Chris@0
|
87
|
|
Chris@0
|
88 /**
|
|
Chris@0
|
89 * Tests 'node_access' query alter, for user without access.
|
|
Chris@0
|
90 *
|
|
Chris@0
|
91 * Verifies that a non-standard table alias can be used, and that a user
|
|
Chris@0
|
92 * without node access cannot view the nodes.
|
|
Chris@0
|
93 */
|
|
Chris@0
|
94 public function testNodeQueryAlterLowLevelNoAccess() {
|
|
Chris@0
|
95 // User without access should be able to view 0 nodes.
|
|
Chris@0
|
96 try {
|
|
Chris@0
|
97 $query = db_select('node', 'mytab')
|
|
Chris@0
|
98 ->fields('mytab');
|
|
Chris@0
|
99 $query->addTag('node_access');
|
|
Chris@0
|
100 $query->addMetaData('op', 'view');
|
|
Chris@0
|
101 $query->addMetaData('account', $this->noAccessUser);
|
|
Chris@0
|
102
|
|
Chris@0
|
103 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
104 $this->assertEqual(count($result), 0, 'User with no access cannot see nodes');
|
|
Chris@0
|
105 }
|
|
Chris@0
|
106 catch (\Exception $e) {
|
|
Chris@0
|
107 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
108 }
|
|
Chris@0
|
109 }
|
|
Chris@0
|
110
|
|
Chris@0
|
111 /**
|
|
Chris@0
|
112 * Tests 'node_access' query alter, for edit access.
|
|
Chris@0
|
113 *
|
|
Chris@0
|
114 * Verifies that a non-standard table alias can be used, and that a user with
|
|
Chris@0
|
115 * view-only node access cannot edit the nodes.
|
|
Chris@0
|
116 */
|
|
Chris@0
|
117 public function testNodeQueryAlterLowLevelEditAccess() {
|
|
Chris@0
|
118 // User with view-only access should not be able to edit nodes.
|
|
Chris@0
|
119 try {
|
|
Chris@0
|
120 $query = db_select('node', 'mytab')
|
|
Chris@0
|
121 ->fields('mytab');
|
|
Chris@0
|
122 $query->addTag('node_access');
|
|
Chris@0
|
123 $query->addMetaData('op', 'update');
|
|
Chris@0
|
124 $query->addMetaData('account', $this->accessUser);
|
|
Chris@0
|
125
|
|
Chris@0
|
126 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
127 $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes');
|
|
Chris@0
|
128 }
|
|
Chris@0
|
129 catch (\Exception $e) {
|
|
Chris@0
|
130 $this->fail($e->getMessage());
|
|
Chris@0
|
131 $this->fail((string) $query);
|
|
Chris@0
|
132 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
133 }
|
|
Chris@0
|
134 }
|
|
Chris@0
|
135
|
|
Chris@0
|
136 /**
|
|
Chris@0
|
137 * Tests 'node_access' query alter override.
|
|
Chris@0
|
138 *
|
|
Chris@0
|
139 * Verifies that node_access_view_all_nodes() is called from
|
|
Chris@0
|
140 * node_query_node_access_alter(). We do this by checking that a user who
|
|
Chris@0
|
141 * normally would not have view privileges is able to view the nodes when we
|
|
Chris@0
|
142 * add a record to {node_access} paired with a corresponding privilege in
|
|
Chris@0
|
143 * hook_node_grants().
|
|
Chris@0
|
144 */
|
|
Chris@0
|
145 public function testNodeQueryAlterOverride() {
|
|
Chris@0
|
146 $record = [
|
|
Chris@0
|
147 'nid' => 0,
|
|
Chris@0
|
148 'gid' => 0,
|
|
Chris@0
|
149 'realm' => 'node_access_all',
|
|
Chris@0
|
150 'grant_view' => 1,
|
|
Chris@0
|
151 'grant_update' => 0,
|
|
Chris@0
|
152 'grant_delete' => 0,
|
|
Chris@0
|
153 ];
|
|
Chris@0
|
154 db_insert('node_access')->fields($record)->execute();
|
|
Chris@0
|
155
|
|
Chris@0
|
156 // Test that the noAccessUser still doesn't have the 'view'
|
|
Chris@0
|
157 // privilege after adding the node_access record.
|
|
Chris@0
|
158 drupal_static_reset('node_access_view_all_nodes');
|
|
Chris@0
|
159 try {
|
|
Chris@0
|
160 $query = db_select('node', 'mytab')
|
|
Chris@0
|
161 ->fields('mytab');
|
|
Chris@0
|
162 $query->addTag('node_access');
|
|
Chris@0
|
163 $query->addMetaData('op', 'view');
|
|
Chris@0
|
164 $query->addMetaData('account', $this->noAccessUser);
|
|
Chris@0
|
165
|
|
Chris@0
|
166 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
167 $this->assertEqual(count($result), 0, 'User view privileges are not overridden');
|
|
Chris@0
|
168 }
|
|
Chris@0
|
169 catch (\Exception $e) {
|
|
Chris@0
|
170 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
171 }
|
|
Chris@0
|
172
|
|
Chris@0
|
173 // Have node_test_node_grants return a node_access_all privilege,
|
|
Chris@0
|
174 // to grant the noAccessUser 'view' access. To verify that
|
|
Chris@0
|
175 // node_access_view_all_nodes is properly checking the specified
|
|
Chris@0
|
176 // $account instead of the current user, we will log in as
|
|
Chris@0
|
177 // noAccessUser2.
|
|
Chris@0
|
178 $this->drupalLogin($this->noAccessUser2);
|
|
Chris@0
|
179 \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id());
|
|
Chris@0
|
180 drupal_static_reset('node_access_view_all_nodes');
|
|
Chris@0
|
181 try {
|
|
Chris@0
|
182 $query = db_select('node', 'mytab')
|
|
Chris@0
|
183 ->fields('mytab');
|
|
Chris@0
|
184 $query->addTag('node_access');
|
|
Chris@0
|
185 $query->addMetaData('op', 'view');
|
|
Chris@0
|
186 $query->addMetaData('account', $this->noAccessUser);
|
|
Chris@0
|
187
|
|
Chris@0
|
188 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
189 $this->assertEqual(count($result), 4, 'User view privileges are overridden');
|
|
Chris@0
|
190 }
|
|
Chris@0
|
191 catch (\Exception $e) {
|
|
Chris@0
|
192 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
193 }
|
|
Chris@0
|
194 \Drupal::state()->delete('node_access_test.no_access_uid');
|
|
Chris@0
|
195 }
|
|
Chris@0
|
196
|
|
Chris@0
|
197 }
|
