Mercurial > hg > isophonics-drupal-site
comparison core/modules/node/tests/src/Functional/NodeQueryAlterTest.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children | af1871eacc83 |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 <?php | |
| 2 | |
| 3 namespace Drupal\Tests\node\Functional; | |
| 4 | |
| 5 /** | |
| 6 * Tests that node access queries are properly altered by the node module. | |
| 7 * | |
| 8 * @group node | |
| 9 */ | |
| 10 class NodeQueryAlterTest extends NodeTestBase { | |
| 11 | |
| 12 /** | |
| 13 * Modules to enable. | |
| 14 * | |
| 15 * @var array | |
| 16 */ | |
| 17 public static $modules = ['node_access_test']; | |
| 18 | |
| 19 /** | |
| 20 * User with permission to view content. | |
| 21 */ | |
| 22 protected $accessUser; | |
| 23 | |
| 24 /** | |
| 25 * User without permission to view content. | |
| 26 */ | |
| 27 protected $noAccessUser; | |
| 28 | |
| 29 protected function setUp() { | |
| 30 parent::setUp(); | |
| 31 | |
| 32 node_access_rebuild(); | |
| 33 | |
| 34 // Create some content. | |
| 35 $this->drupalCreateNode(); | |
| 36 $this->drupalCreateNode(); | |
| 37 $this->drupalCreateNode(); | |
| 38 $this->drupalCreateNode(); | |
| 39 | |
| 40 // Create user with simple node access permission. The 'node test view' | |
| 41 // permission is implemented and granted by the node_access_test module. | |
| 42 $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']); | |
| 43 $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']); | |
| 44 $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']); | |
| 45 } | |
| 46 | |
| 47 /** | |
| 48 * Tests 'node_access' query alter, for user with access. | |
| 49 * | |
| 50 * Verifies that a non-standard table alias can be used, and that a user with | |
| 51 * node access can view the nodes. | |
| 52 */ | |
| 53 public function testNodeQueryAlterLowLevelWithAccess() { | |
| 54 // User with access should be able to view 4 nodes. | |
| 55 try { | |
| 56 $query = db_select('node', 'mytab') | |
| 57 ->fields('mytab'); | |
| 58 $query->addTag('node_access'); | |
| 59 $query->addMetaData('op', 'view'); | |
| 60 $query->addMetaData('account', $this->accessUser); | |
| 61 | |
| 62 $result = $query->execute()->fetchAll(); | |
| 63 $this->assertEqual(count($result), 4, 'User with access can see correct nodes'); | |
| 64 } | |
| 65 catch (\Exception $e) { | |
| 66 $this->fail(t('Altered query is malformed')); | |
| 67 } | |
| 68 } | |
| 69 | |
| 70 /** | |
| 71 * Tests 'node_access' query alter with revision-enabled nodes. | |
| 72 */ | |
| 73 public function testNodeQueryAlterWithRevisions() { | |
| 74 // Execute a query that only deals with the 'node_revision' table. | |
| 75 try { | |
| 76 $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery(); | |
| 77 $result = $query | |
| 78 ->allRevisions() | |
| 79 ->execute(); | |
| 80 | |
| 81 $this->assertEqual(count($result), 4, 'User with access can see correct nodes'); | |
| 82 } | |
| 83 catch (\Exception $e) { | |
| 84 $this->fail('Altered query is malformed'); | |
| 85 } | |
| 86 } | |
| 87 | |
| 88 /** | |
| 89 * Tests 'node_access' query alter, for user without access. | |
| 90 * | |
| 91 * Verifies that a non-standard table alias can be used, and that a user | |
| 92 * without node access cannot view the nodes. | |
| 93 */ | |
| 94 public function testNodeQueryAlterLowLevelNoAccess() { | |
| 95 // User without access should be able to view 0 nodes. | |
| 96 try { | |
| 97 $query = db_select('node', 'mytab') | |
| 98 ->fields('mytab'); | |
| 99 $query->addTag('node_access'); | |
| 100 $query->addMetaData('op', 'view'); | |
| 101 $query->addMetaData('account', $this->noAccessUser); | |
| 102 | |
| 103 $result = $query->execute()->fetchAll(); | |
| 104 $this->assertEqual(count($result), 0, 'User with no access cannot see nodes'); | |
| 105 } | |
| 106 catch (\Exception $e) { | |
| 107 $this->fail(t('Altered query is malformed')); | |
| 108 } | |
| 109 } | |
| 110 | |
| 111 /** | |
| 112 * Tests 'node_access' query alter, for edit access. | |
| 113 * | |
| 114 * Verifies that a non-standard table alias can be used, and that a user with | |
| 115 * view-only node access cannot edit the nodes. | |
| 116 */ | |
| 117 public function testNodeQueryAlterLowLevelEditAccess() { | |
| 118 // User with view-only access should not be able to edit nodes. | |
| 119 try { | |
| 120 $query = db_select('node', 'mytab') | |
| 121 ->fields('mytab'); | |
| 122 $query->addTag('node_access'); | |
| 123 $query->addMetaData('op', 'update'); | |
| 124 $query->addMetaData('account', $this->accessUser); | |
| 125 | |
| 126 $result = $query->execute()->fetchAll(); | |
| 127 $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes'); | |
| 128 } | |
| 129 catch (\Exception $e) { | |
| 130 $this->fail($e->getMessage()); | |
| 131 $this->fail((string) $query); | |
| 132 $this->fail(t('Altered query is malformed')); | |
| 133 } | |
| 134 } | |
| 135 | |
| 136 /** | |
| 137 * Tests 'node_access' query alter override. | |
| 138 * | |
| 139 * Verifies that node_access_view_all_nodes() is called from | |
| 140 * node_query_node_access_alter(). We do this by checking that a user who | |
| 141 * normally would not have view privileges is able to view the nodes when we | |
| 142 * add a record to {node_access} paired with a corresponding privilege in | |
| 143 * hook_node_grants(). | |
| 144 */ | |
| 145 public function testNodeQueryAlterOverride() { | |
| 146 $record = [ | |
| 147 'nid' => 0, | |
| 148 'gid' => 0, | |
| 149 'realm' => 'node_access_all', | |
| 150 'grant_view' => 1, | |
| 151 'grant_update' => 0, | |
| 152 'grant_delete' => 0, | |
| 153 ]; | |
| 154 db_insert('node_access')->fields($record)->execute(); | |
| 155 | |
| 156 // Test that the noAccessUser still doesn't have the 'view' | |
| 157 // privilege after adding the node_access record. | |
| 158 drupal_static_reset('node_access_view_all_nodes'); | |
| 159 try { | |
| 160 $query = db_select('node', 'mytab') | |
| 161 ->fields('mytab'); | |
| 162 $query->addTag('node_access'); | |
| 163 $query->addMetaData('op', 'view'); | |
| 164 $query->addMetaData('account', $this->noAccessUser); | |
| 165 | |
| 166 $result = $query->execute()->fetchAll(); | |
| 167 $this->assertEqual(count($result), 0, 'User view privileges are not overridden'); | |
| 168 } | |
| 169 catch (\Exception $e) { | |
| 170 $this->fail(t('Altered query is malformed')); | |
| 171 } | |
| 172 | |
| 173 // Have node_test_node_grants return a node_access_all privilege, | |
| 174 // to grant the noAccessUser 'view' access. To verify that | |
| 175 // node_access_view_all_nodes is properly checking the specified | |
| 176 // $account instead of the current user, we will log in as | |
| 177 // noAccessUser2. | |
| 178 $this->drupalLogin($this->noAccessUser2); | |
| 179 \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id()); | |
| 180 drupal_static_reset('node_access_view_all_nodes'); | |
| 181 try { | |
| 182 $query = db_select('node', 'mytab') | |
| 183 ->fields('mytab'); | |
| 184 $query->addTag('node_access'); | |
| 185 $query->addMetaData('op', 'view'); | |
| 186 $query->addMetaData('account', $this->noAccessUser); | |
| 187 | |
| 188 $result = $query->execute()->fetchAll(); | |
| 189 $this->assertEqual(count($result), 4, 'User view privileges are overridden'); | |
| 190 } | |
| 191 catch (\Exception $e) { | |
| 192 $this->fail(t('Altered query is malformed')); | |
| 193 } | |
| 194 \Drupal::state()->delete('node_access_test.no_access_uid'); | |
| 195 } | |
| 196 | |
| 197 } |