annotate core/modules/node/tests/src/Functional/NodeQueryAlterTest.php @ 19:fa3358dc1485 tip

Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents af1871eacc83
children
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 namespace Drupal\Tests\node\Functional;
Chris@0 4
Chris@18 5 use Drupal\Core\Database\Database;
Chris@18 6
Chris@0 7 /**
Chris@0 8 * Tests that node access queries are properly altered by the node module.
Chris@0 9 *
Chris@0 10 * @group node
Chris@0 11 */
Chris@0 12 class NodeQueryAlterTest extends NodeTestBase {
Chris@0 13
Chris@0 14 /**
Chris@0 15 * Modules to enable.
Chris@0 16 *
Chris@0 17 * @var array
Chris@0 18 */
Chris@0 19 public static $modules = ['node_access_test'];
Chris@0 20
Chris@0 21 /**
Chris@0 22 * User with permission to view content.
Chris@0 23 */
Chris@0 24 protected $accessUser;
Chris@0 25
Chris@0 26 /**
Chris@0 27 * User without permission to view content.
Chris@0 28 */
Chris@0 29 protected $noAccessUser;
Chris@0 30
Chris@0 31 protected function setUp() {
Chris@0 32 parent::setUp();
Chris@0 33
Chris@0 34 node_access_rebuild();
Chris@0 35
Chris@0 36 // Create some content.
Chris@0 37 $this->drupalCreateNode();
Chris@0 38 $this->drupalCreateNode();
Chris@0 39 $this->drupalCreateNode();
Chris@0 40 $this->drupalCreateNode();
Chris@0 41
Chris@0 42 // Create user with simple node access permission. The 'node test view'
Chris@0 43 // permission is implemented and granted by the node_access_test module.
Chris@0 44 $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']);
Chris@0 45 $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']);
Chris@0 46 $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']);
Chris@0 47 }
Chris@0 48
Chris@0 49 /**
Chris@0 50 * Tests 'node_access' query alter, for user with access.
Chris@0 51 *
Chris@0 52 * Verifies that a non-standard table alias can be used, and that a user with
Chris@0 53 * node access can view the nodes.
Chris@0 54 */
Chris@0 55 public function testNodeQueryAlterLowLevelWithAccess() {
Chris@0 56 // User with access should be able to view 4 nodes.
Chris@0 57 try {
Chris@18 58 $query = Database::getConnection()->select('node', 'mytab')
Chris@0 59 ->fields('mytab');
Chris@0 60 $query->addTag('node_access');
Chris@0 61 $query->addMetaData('op', 'view');
Chris@0 62 $query->addMetaData('account', $this->accessUser);
Chris@0 63
Chris@0 64 $result = $query->execute()->fetchAll();
Chris@0 65 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
Chris@0 66 }
Chris@0 67 catch (\Exception $e) {
Chris@0 68 $this->fail(t('Altered query is malformed'));
Chris@0 69 }
Chris@0 70 }
Chris@0 71
Chris@0 72 /**
Chris@0 73 * Tests 'node_access' query alter with revision-enabled nodes.
Chris@0 74 */
Chris@0 75 public function testNodeQueryAlterWithRevisions() {
Chris@0 76 // Execute a query that only deals with the 'node_revision' table.
Chris@0 77 try {
Chris@0 78 $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery();
Chris@0 79 $result = $query
Chris@0 80 ->allRevisions()
Chris@0 81 ->execute();
Chris@0 82
Chris@0 83 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
Chris@0 84 }
Chris@0 85 catch (\Exception $e) {
Chris@0 86 $this->fail('Altered query is malformed');
Chris@0 87 }
Chris@0 88 }
Chris@0 89
Chris@0 90 /**
Chris@0 91 * Tests 'node_access' query alter, for user without access.
Chris@0 92 *
Chris@0 93 * Verifies that a non-standard table alias can be used, and that a user
Chris@0 94 * without node access cannot view the nodes.
Chris@0 95 */
Chris@0 96 public function testNodeQueryAlterLowLevelNoAccess() {
Chris@0 97 // User without access should be able to view 0 nodes.
Chris@0 98 try {
Chris@18 99 $query = Database::getConnection()->select('node', 'mytab')
Chris@0 100 ->fields('mytab');
Chris@0 101 $query->addTag('node_access');
Chris@0 102 $query->addMetaData('op', 'view');
Chris@0 103 $query->addMetaData('account', $this->noAccessUser);
Chris@0 104
Chris@0 105 $result = $query->execute()->fetchAll();
Chris@0 106 $this->assertEqual(count($result), 0, 'User with no access cannot see nodes');
Chris@0 107 }
Chris@0 108 catch (\Exception $e) {
Chris@0 109 $this->fail(t('Altered query is malformed'));
Chris@0 110 }
Chris@0 111 }
Chris@0 112
Chris@0 113 /**
Chris@0 114 * Tests 'node_access' query alter, for edit access.
Chris@0 115 *
Chris@0 116 * Verifies that a non-standard table alias can be used, and that a user with
Chris@0 117 * view-only node access cannot edit the nodes.
Chris@0 118 */
Chris@0 119 public function testNodeQueryAlterLowLevelEditAccess() {
Chris@0 120 // User with view-only access should not be able to edit nodes.
Chris@0 121 try {
Chris@18 122 $query = Database::getConnection()->select('node', 'mytab')
Chris@0 123 ->fields('mytab');
Chris@0 124 $query->addTag('node_access');
Chris@0 125 $query->addMetaData('op', 'update');
Chris@0 126 $query->addMetaData('account', $this->accessUser);
Chris@0 127
Chris@0 128 $result = $query->execute()->fetchAll();
Chris@0 129 $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes');
Chris@0 130 }
Chris@0 131 catch (\Exception $e) {
Chris@0 132 $this->fail($e->getMessage());
Chris@0 133 $this->fail((string) $query);
Chris@0 134 $this->fail(t('Altered query is malformed'));
Chris@0 135 }
Chris@0 136 }
Chris@0 137
Chris@0 138 /**
Chris@0 139 * Tests 'node_access' query alter override.
Chris@0 140 *
Chris@0 141 * Verifies that node_access_view_all_nodes() is called from
Chris@0 142 * node_query_node_access_alter(). We do this by checking that a user who
Chris@0 143 * normally would not have view privileges is able to view the nodes when we
Chris@0 144 * add a record to {node_access} paired with a corresponding privilege in
Chris@0 145 * hook_node_grants().
Chris@0 146 */
Chris@0 147 public function testNodeQueryAlterOverride() {
Chris@0 148 $record = [
Chris@0 149 'nid' => 0,
Chris@0 150 'gid' => 0,
Chris@0 151 'realm' => 'node_access_all',
Chris@0 152 'grant_view' => 1,
Chris@0 153 'grant_update' => 0,
Chris@0 154 'grant_delete' => 0,
Chris@0 155 ];
Chris@18 156 $connection = Database::getConnection();
Chris@18 157 $connection->insert('node_access')->fields($record)->execute();
Chris@0 158
Chris@0 159 // Test that the noAccessUser still doesn't have the 'view'
Chris@0 160 // privilege after adding the node_access record.
Chris@0 161 drupal_static_reset('node_access_view_all_nodes');
Chris@0 162 try {
Chris@18 163 $query = $connection->select('node', 'mytab')
Chris@0 164 ->fields('mytab');
Chris@0 165 $query->addTag('node_access');
Chris@0 166 $query->addMetaData('op', 'view');
Chris@0 167 $query->addMetaData('account', $this->noAccessUser);
Chris@0 168
Chris@0 169 $result = $query->execute()->fetchAll();
Chris@0 170 $this->assertEqual(count($result), 0, 'User view privileges are not overridden');
Chris@0 171 }
Chris@0 172 catch (\Exception $e) {
Chris@0 173 $this->fail(t('Altered query is malformed'));
Chris@0 174 }
Chris@0 175
Chris@0 176 // Have node_test_node_grants return a node_access_all privilege,
Chris@0 177 // to grant the noAccessUser 'view' access. To verify that
Chris@0 178 // node_access_view_all_nodes is properly checking the specified
Chris@0 179 // $account instead of the current user, we will log in as
Chris@0 180 // noAccessUser2.
Chris@0 181 $this->drupalLogin($this->noAccessUser2);
Chris@0 182 \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id());
Chris@0 183 drupal_static_reset('node_access_view_all_nodes');
Chris@0 184 try {
Chris@18 185 $query = $connection->select('node', 'mytab')
Chris@0 186 ->fields('mytab');
Chris@0 187 $query->addTag('node_access');
Chris@0 188 $query->addMetaData('op', 'view');
Chris@0 189 $query->addMetaData('account', $this->noAccessUser);
Chris@0 190
Chris@0 191 $result = $query->execute()->fetchAll();
Chris@0 192 $this->assertEqual(count($result), 4, 'User view privileges are overridden');
Chris@0 193 }
Chris@0 194 catch (\Exception $e) {
Chris@0 195 $this->fail(t('Altered query is malformed'));
Chris@0 196 }
Chris@0 197 \Drupal::state()->delete('node_access_test.no_access_uid');
Chris@0 198 }
Chris@0 199
Chris@0 200 }