|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\Tests\node\Functional;
|
|
Chris@0
|
4
|
|
Chris@18
|
5 use Drupal\Core\Database\Database;
|
|
Chris@18
|
6
|
|
Chris@0
|
7 /**
|
|
Chris@0
|
8 * Tests that node access queries are properly altered by the node module.
|
|
Chris@0
|
9 *
|
|
Chris@0
|
10 * @group node
|
|
Chris@0
|
11 */
|
|
Chris@0
|
12 class NodeQueryAlterTest extends NodeTestBase {
|
|
Chris@0
|
13
|
|
Chris@0
|
14 /**
|
|
Chris@0
|
15 * Modules to enable.
|
|
Chris@0
|
16 *
|
|
Chris@0
|
17 * @var array
|
|
Chris@0
|
18 */
|
|
Chris@0
|
19 public static $modules = ['node_access_test'];
|
|
Chris@0
|
20
|
|
Chris@0
|
21 /**
|
|
Chris@0
|
22 * User with permission to view content.
|
|
Chris@0
|
23 */
|
|
Chris@0
|
24 protected $accessUser;
|
|
Chris@0
|
25
|
|
Chris@0
|
26 /**
|
|
Chris@0
|
27 * User without permission to view content.
|
|
Chris@0
|
28 */
|
|
Chris@0
|
29 protected $noAccessUser;
|
|
Chris@0
|
30
|
|
Chris@0
|
31 protected function setUp() {
|
|
Chris@0
|
32 parent::setUp();
|
|
Chris@0
|
33
|
|
Chris@0
|
34 node_access_rebuild();
|
|
Chris@0
|
35
|
|
Chris@0
|
36 // Create some content.
|
|
Chris@0
|
37 $this->drupalCreateNode();
|
|
Chris@0
|
38 $this->drupalCreateNode();
|
|
Chris@0
|
39 $this->drupalCreateNode();
|
|
Chris@0
|
40 $this->drupalCreateNode();
|
|
Chris@0
|
41
|
|
Chris@0
|
42 // Create user with simple node access permission. The 'node test view'
|
|
Chris@0
|
43 // permission is implemented and granted by the node_access_test module.
|
|
Chris@0
|
44 $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']);
|
|
Chris@0
|
45 $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']);
|
|
Chris@0
|
46 $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']);
|
|
Chris@0
|
47 }
|
|
Chris@0
|
48
|
|
Chris@0
|
49 /**
|
|
Chris@0
|
50 * Tests 'node_access' query alter, for user with access.
|
|
Chris@0
|
51 *
|
|
Chris@0
|
52 * Verifies that a non-standard table alias can be used, and that a user with
|
|
Chris@0
|
53 * node access can view the nodes.
|
|
Chris@0
|
54 */
|
|
Chris@0
|
55 public function testNodeQueryAlterLowLevelWithAccess() {
|
|
Chris@0
|
56 // User with access should be able to view 4 nodes.
|
|
Chris@0
|
57 try {
|
|
Chris@18
|
58 $query = Database::getConnection()->select('node', 'mytab')
|
|
Chris@0
|
59 ->fields('mytab');
|
|
Chris@0
|
60 $query->addTag('node_access');
|
|
Chris@0
|
61 $query->addMetaData('op', 'view');
|
|
Chris@0
|
62 $query->addMetaData('account', $this->accessUser);
|
|
Chris@0
|
63
|
|
Chris@0
|
64 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
65 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
|
|
Chris@0
|
66 }
|
|
Chris@0
|
67 catch (\Exception $e) {
|
|
Chris@0
|
68 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
69 }
|
|
Chris@0
|
70 }
|
|
Chris@0
|
71
|
|
Chris@0
|
72 /**
|
|
Chris@0
|
73 * Tests 'node_access' query alter with revision-enabled nodes.
|
|
Chris@0
|
74 */
|
|
Chris@0
|
75 public function testNodeQueryAlterWithRevisions() {
|
|
Chris@0
|
76 // Execute a query that only deals with the 'node_revision' table.
|
|
Chris@0
|
77 try {
|
|
Chris@0
|
78 $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery();
|
|
Chris@0
|
79 $result = $query
|
|
Chris@0
|
80 ->allRevisions()
|
|
Chris@0
|
81 ->execute();
|
|
Chris@0
|
82
|
|
Chris@0
|
83 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
|
|
Chris@0
|
84 }
|
|
Chris@0
|
85 catch (\Exception $e) {
|
|
Chris@0
|
86 $this->fail('Altered query is malformed');
|
|
Chris@0
|
87 }
|
|
Chris@0
|
88 }
|
|
Chris@0
|
89
|
|
Chris@0
|
90 /**
|
|
Chris@0
|
91 * Tests 'node_access' query alter, for user without access.
|
|
Chris@0
|
92 *
|
|
Chris@0
|
93 * Verifies that a non-standard table alias can be used, and that a user
|
|
Chris@0
|
94 * without node access cannot view the nodes.
|
|
Chris@0
|
95 */
|
|
Chris@0
|
96 public function testNodeQueryAlterLowLevelNoAccess() {
|
|
Chris@0
|
97 // User without access should be able to view 0 nodes.
|
|
Chris@0
|
98 try {
|
|
Chris@18
|
99 $query = Database::getConnection()->select('node', 'mytab')
|
|
Chris@0
|
100 ->fields('mytab');
|
|
Chris@0
|
101 $query->addTag('node_access');
|
|
Chris@0
|
102 $query->addMetaData('op', 'view');
|
|
Chris@0
|
103 $query->addMetaData('account', $this->noAccessUser);
|
|
Chris@0
|
104
|
|
Chris@0
|
105 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
106 $this->assertEqual(count($result), 0, 'User with no access cannot see nodes');
|
|
Chris@0
|
107 }
|
|
Chris@0
|
108 catch (\Exception $e) {
|
|
Chris@0
|
109 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
110 }
|
|
Chris@0
|
111 }
|
|
Chris@0
|
112
|
|
Chris@0
|
113 /**
|
|
Chris@0
|
114 * Tests 'node_access' query alter, for edit access.
|
|
Chris@0
|
115 *
|
|
Chris@0
|
116 * Verifies that a non-standard table alias can be used, and that a user with
|
|
Chris@0
|
117 * view-only node access cannot edit the nodes.
|
|
Chris@0
|
118 */
|
|
Chris@0
|
119 public function testNodeQueryAlterLowLevelEditAccess() {
|
|
Chris@0
|
120 // User with view-only access should not be able to edit nodes.
|
|
Chris@0
|
121 try {
|
|
Chris@18
|
122 $query = Database::getConnection()->select('node', 'mytab')
|
|
Chris@0
|
123 ->fields('mytab');
|
|
Chris@0
|
124 $query->addTag('node_access');
|
|
Chris@0
|
125 $query->addMetaData('op', 'update');
|
|
Chris@0
|
126 $query->addMetaData('account', $this->accessUser);
|
|
Chris@0
|
127
|
|
Chris@0
|
128 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
129 $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes');
|
|
Chris@0
|
130 }
|
|
Chris@0
|
131 catch (\Exception $e) {
|
|
Chris@0
|
132 $this->fail($e->getMessage());
|
|
Chris@0
|
133 $this->fail((string) $query);
|
|
Chris@0
|
134 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
135 }
|
|
Chris@0
|
136 }
|
|
Chris@0
|
137
|
|
Chris@0
|
138 /**
|
|
Chris@0
|
139 * Tests 'node_access' query alter override.
|
|
Chris@0
|
140 *
|
|
Chris@0
|
141 * Verifies that node_access_view_all_nodes() is called from
|
|
Chris@0
|
142 * node_query_node_access_alter(). We do this by checking that a user who
|
|
Chris@0
|
143 * normally would not have view privileges is able to view the nodes when we
|
|
Chris@0
|
144 * add a record to {node_access} paired with a corresponding privilege in
|
|
Chris@0
|
145 * hook_node_grants().
|
|
Chris@0
|
146 */
|
|
Chris@0
|
147 public function testNodeQueryAlterOverride() {
|
|
Chris@0
|
148 $record = [
|
|
Chris@0
|
149 'nid' => 0,
|
|
Chris@0
|
150 'gid' => 0,
|
|
Chris@0
|
151 'realm' => 'node_access_all',
|
|
Chris@0
|
152 'grant_view' => 1,
|
|
Chris@0
|
153 'grant_update' => 0,
|
|
Chris@0
|
154 'grant_delete' => 0,
|
|
Chris@0
|
155 ];
|
|
Chris@18
|
156 $connection = Database::getConnection();
|
|
Chris@18
|
157 $connection->insert('node_access')->fields($record)->execute();
|
|
Chris@0
|
158
|
|
Chris@0
|
159 // Test that the noAccessUser still doesn't have the 'view'
|
|
Chris@0
|
160 // privilege after adding the node_access record.
|
|
Chris@0
|
161 drupal_static_reset('node_access_view_all_nodes');
|
|
Chris@0
|
162 try {
|
|
Chris@18
|
163 $query = $connection->select('node', 'mytab')
|
|
Chris@0
|
164 ->fields('mytab');
|
|
Chris@0
|
165 $query->addTag('node_access');
|
|
Chris@0
|
166 $query->addMetaData('op', 'view');
|
|
Chris@0
|
167 $query->addMetaData('account', $this->noAccessUser);
|
|
Chris@0
|
168
|
|
Chris@0
|
169 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
170 $this->assertEqual(count($result), 0, 'User view privileges are not overridden');
|
|
Chris@0
|
171 }
|
|
Chris@0
|
172 catch (\Exception $e) {
|
|
Chris@0
|
173 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
174 }
|
|
Chris@0
|
175
|
|
Chris@0
|
176 // Have node_test_node_grants return a node_access_all privilege,
|
|
Chris@0
|
177 // to grant the noAccessUser 'view' access. To verify that
|
|
Chris@0
|
178 // node_access_view_all_nodes is properly checking the specified
|
|
Chris@0
|
179 // $account instead of the current user, we will log in as
|
|
Chris@0
|
180 // noAccessUser2.
|
|
Chris@0
|
181 $this->drupalLogin($this->noAccessUser2);
|
|
Chris@0
|
182 \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id());
|
|
Chris@0
|
183 drupal_static_reset('node_access_view_all_nodes');
|
|
Chris@0
|
184 try {
|
|
Chris@18
|
185 $query = $connection->select('node', 'mytab')
|
|
Chris@0
|
186 ->fields('mytab');
|
|
Chris@0
|
187 $query->addTag('node_access');
|
|
Chris@0
|
188 $query->addMetaData('op', 'view');
|
|
Chris@0
|
189 $query->addMetaData('account', $this->noAccessUser);
|
|
Chris@0
|
190
|
|
Chris@0
|
191 $result = $query->execute()->fetchAll();
|
|
Chris@0
|
192 $this->assertEqual(count($result), 4, 'User view privileges are overridden');
|
|
Chris@0
|
193 }
|
|
Chris@0
|
194 catch (\Exception $e) {
|
|
Chris@0
|
195 $this->fail(t('Altered query is malformed'));
|
|
Chris@0
|
196 }
|
|
Chris@0
|
197 \Drupal::state()->delete('node_access_test.no_access_uid');
|
|
Chris@0
|
198 }
|
|
Chris@0
|
199
|
|
Chris@0
|
200 }
|
