Mercurial > hg > isophonics-drupal-site
diff core/modules/node/tests/src/Functional/NodeQueryAlterTest.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children | af1871eacc83 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/core/modules/node/tests/src/Functional/NodeQueryAlterTest.php Wed Nov 29 16:09:58 2017 +0000 @@ -0,0 +1,197 @@ +<?php + +namespace Drupal\Tests\node\Functional; + +/** + * Tests that node access queries are properly altered by the node module. + * + * @group node + */ +class NodeQueryAlterTest extends NodeTestBase { + + /** + * Modules to enable. + * + * @var array + */ + public static $modules = ['node_access_test']; + + /** + * User with permission to view content. + */ + protected $accessUser; + + /** + * User without permission to view content. + */ + protected $noAccessUser; + + protected function setUp() { + parent::setUp(); + + node_access_rebuild(); + + // Create some content. + $this->drupalCreateNode(); + $this->drupalCreateNode(); + $this->drupalCreateNode(); + $this->drupalCreateNode(); + + // Create user with simple node access permission. The 'node test view' + // permission is implemented and granted by the node_access_test module. + $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']); + $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']); + $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']); + } + + /** + * Tests 'node_access' query alter, for user with access. + * + * Verifies that a non-standard table alias can be used, and that a user with + * node access can view the nodes. + */ + public function testNodeQueryAlterLowLevelWithAccess() { + // User with access should be able to view 4 nodes. + try { + $query = db_select('node', 'mytab') + ->fields('mytab'); + $query->addTag('node_access'); + $query->addMetaData('op', 'view'); + $query->addMetaData('account', $this->accessUser); + + $result = $query->execute()->fetchAll(); + $this->assertEqual(count($result), 4, 'User with access can see correct nodes'); + } + catch (\Exception $e) { + $this->fail(t('Altered query is malformed')); + } + } + + /** + * Tests 'node_access' query alter with revision-enabled nodes. + */ + public function testNodeQueryAlterWithRevisions() { + // Execute a query that only deals with the 'node_revision' table. + try { + $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery(); + $result = $query + ->allRevisions() + ->execute(); + + $this->assertEqual(count($result), 4, 'User with access can see correct nodes'); + } + catch (\Exception $e) { + $this->fail('Altered query is malformed'); + } + } + + /** + * Tests 'node_access' query alter, for user without access. + * + * Verifies that a non-standard table alias can be used, and that a user + * without node access cannot view the nodes. + */ + public function testNodeQueryAlterLowLevelNoAccess() { + // User without access should be able to view 0 nodes. + try { + $query = db_select('node', 'mytab') + ->fields('mytab'); + $query->addTag('node_access'); + $query->addMetaData('op', 'view'); + $query->addMetaData('account', $this->noAccessUser); + + $result = $query->execute()->fetchAll(); + $this->assertEqual(count($result), 0, 'User with no access cannot see nodes'); + } + catch (\Exception $e) { + $this->fail(t('Altered query is malformed')); + } + } + + /** + * Tests 'node_access' query alter, for edit access. + * + * Verifies that a non-standard table alias can be used, and that a user with + * view-only node access cannot edit the nodes. + */ + public function testNodeQueryAlterLowLevelEditAccess() { + // User with view-only access should not be able to edit nodes. + try { + $query = db_select('node', 'mytab') + ->fields('mytab'); + $query->addTag('node_access'); + $query->addMetaData('op', 'update'); + $query->addMetaData('account', $this->accessUser); + + $result = $query->execute()->fetchAll(); + $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes'); + } + catch (\Exception $e) { + $this->fail($e->getMessage()); + $this->fail((string) $query); + $this->fail(t('Altered query is malformed')); + } + } + + /** + * Tests 'node_access' query alter override. + * + * Verifies that node_access_view_all_nodes() is called from + * node_query_node_access_alter(). We do this by checking that a user who + * normally would not have view privileges is able to view the nodes when we + * add a record to {node_access} paired with a corresponding privilege in + * hook_node_grants(). + */ + public function testNodeQueryAlterOverride() { + $record = [ + 'nid' => 0, + 'gid' => 0, + 'realm' => 'node_access_all', + 'grant_view' => 1, + 'grant_update' => 0, + 'grant_delete' => 0, + ]; + db_insert('node_access')->fields($record)->execute(); + + // Test that the noAccessUser still doesn't have the 'view' + // privilege after adding the node_access record. + drupal_static_reset('node_access_view_all_nodes'); + try { + $query = db_select('node', 'mytab') + ->fields('mytab'); + $query->addTag('node_access'); + $query->addMetaData('op', 'view'); + $query->addMetaData('account', $this->noAccessUser); + + $result = $query->execute()->fetchAll(); + $this->assertEqual(count($result), 0, 'User view privileges are not overridden'); + } + catch (\Exception $e) { + $this->fail(t('Altered query is malformed')); + } + + // Have node_test_node_grants return a node_access_all privilege, + // to grant the noAccessUser 'view' access. To verify that + // node_access_view_all_nodes is properly checking the specified + // $account instead of the current user, we will log in as + // noAccessUser2. + $this->drupalLogin($this->noAccessUser2); + \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id()); + drupal_static_reset('node_access_view_all_nodes'); + try { + $query = db_select('node', 'mytab') + ->fields('mytab'); + $query->addTag('node_access'); + $query->addMetaData('op', 'view'); + $query->addMetaData('account', $this->noAccessUser); + + $result = $query->execute()->fetchAll(); + $this->assertEqual(count($result), 4, 'User view privileges are overridden'); + } + catch (\Exception $e) { + $this->fail(t('Altered query is malformed')); + } + \Drupal::state()->delete('node_access_test.no_access_uid'); + } + +}