diff --git a/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TaxonomyImageTest.php b/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TaxonomyImageTest.php new file mode 100644 index 0000000000000000000000000000000000000000..db007057cd7ae64ba5bb6df26ce97f7bbf05da20 --- /dev/null +++ b/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TaxonomyImageTest.php @@ -0,0 +1,102 @@ + 'Taxonomy Image Test', + 'description' => 'Tests access checks of private image fields', + 'group' => 'Taxonomy', + ); + } + + public function setUp() { + parent::setUp(); + + // Remove access content permission from registered users. + user_role_revoke_permissions(DRUPAL_AUTHENTICATED_RID, array('access content')); + + $this->vocabulary = $this->createVocabulary(); + // Add a field instance to the vocabulary. + $entity_type = 'taxonomy_term'; + $name = 'field_test'; + entity_create('field_entity', array( + 'name' => $name, + 'entity_type' => $entity_type, + 'type' => 'image', + 'settings' => array( + 'uri_scheme' => 'private', + ), + ))->save(); + entity_create('field_instance', array( + 'field_name' => $name, + 'entity_type' => $entity_type, + 'bundle' => $this->vocabulary->id(), + 'settings' => array(), + ))->save(); + entity_get_display($entity_type, $this->vocabulary->id(), 'default') + ->setComponent($name, array( + 'type' => 'image', + 'settings' => array(), + )) + ->save(); + entity_get_form_display($entity_type, $this->vocabulary->id(), 'default') + ->setComponent($name, array( + 'type' => 'image_image', + 'settings' => array(), + )) + ->save(); + } + + public function testTaxonomyImageAccess() { + $user = $this->drupalCreateUser(array('administer site configuration', 'administer taxonomy', 'access user profiles')); + $this->drupalLogin($user); + + // Create a term and upload the image. + $files = $this->drupalGetTestFiles('image'); + $image = array_pop($files); + $edit['name'] = $this->randomName(); + $edit['files[field_test_0]'] = drupal_realpath($image->uri); + $this->drupalPostForm('admin/structure/taxonomy/manage/' . $this->vocabulary->id() . '/add', $edit, t('Save')); + $terms = entity_load_multiple_by_properties('taxonomy_term', array('name' => $edit['name'])); + $term = reset($terms); + $this->assertText(t('Created new term @name.', array('@name' => $term->label()))); + + // Create a user that should have access to the file and one that doesn't. + $access_user = $this->drupalCreateUser(array('access content')); + $no_access_user = $this->drupalCreateUser(); + $image = file_load($term->field_test->target_id); + $this->drupalLogin($access_user); + $this->drupalGet(file_create_url($image->getFileUri())); + $this->assertResponse(200, 'Private image on term is accessible with right permission'); + + $this->drupalLogin($no_access_user); + $this->drupalGet(file_create_url($image->getFileUri())); + $this->assertResponse(403, 'Private image on term not accessible without right permission'); + } + +} diff --git a/core/modules/taxonomy/taxonomy.module b/core/modules/taxonomy/taxonomy.module index 6c996acd66d22393af214eb1ab7477e923743446..4f9cec1be3a54946351bc33254b0a8b5670c6b79 100644 --- a/core/modules/taxonomy/taxonomy.module +++ b/core/modules/taxonomy/taxonomy.module @@ -8,6 +8,7 @@ use Drupal\Core\Entity\DatabaseStorageController; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\Field\FieldDefinitionInterface; +use Drupal\file\FileInterface; use Drupal\node\Entity\Node; use Drupal\taxonomy\Entity\Term; use Drupal\taxonomy\Entity\Vocabulary; @@ -828,6 +829,15 @@ function taxonomy_term_load($tid) { return entity_load('taxonomy_term', $tid); } +/** + * Implements hook_file_download_access(). + */ +function taxonomy_file_download_access($field, EntityInterface $entity, FileInterface $file) { + if ($entity->entityType() == 'taxonomy_term') { + return $entity->access('view'); + } +} + /** * Implodes a list of tags of a certain vocabulary into a string. *