Newer
Older
Angie Byron
committed
<?php
namespace Drupal\KernelTests\Core\Entity;
Angie Byron
committed
use Drupal\Core\Language\LanguageInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Access\AccessibleInterface;
use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Session\AnonymousUserSession;
use Drupal\entity_test\Entity\EntityTest;
use Drupal\entity_test\Entity\EntityTestStringId;
use Drupal\entity_test\Entity\EntityTestDefaultAccess;
use Drupal\entity_test\Entity\EntityTestNoUuid;
use Drupal\entity_test\Entity\EntityTestLabel;
use Drupal\entity_test\Entity\EntityTestRev;
use Drupal\language\Entity\ConfigurableLanguage;
use Drupal\user\Entity\User;
Angie Byron
committed
/**
* Tests the entity access control handler.
* @coversDefaultClass \Drupal\Core\Entity\EntityAccessControlHandler
* @group Entity
Angie Byron
committed
*/
Alex Pott
committed
class EntityAccessControlHandlerTest extends EntityLanguageTestBase {
Angie Byron
committed
/**
* {@inheritdoc}
*/
public function setUp() {
parent::setUp();
$this->installEntitySchema('entity_test_no_uuid');
$this->installEntitySchema('entity_test_rev');
$this->installEntitySchema('entity_test_string_id');
}
Angie Byron
committed
/**
* Asserts entity access correctly grants or denies access.
*/
public function assertEntityAccess($ops, AccessibleInterface $object, AccountInterface $account = NULL) {
Angie Byron
committed
foreach ($ops as $op => $result) {
$message = format_string("Entity access returns @result with operation '@op'.", [
Angie Byron
committed
'@result' => !isset($result) ? 'null' : ($result ? 'true' : 'false'),
Angie Byron
committed
'@op' => $op,
]);
Angie Byron
committed
$this->assertEqual($result, $object->access($op, $account), $message);
}
}
/**
* Ensures user labels are accessible for everyone.
*/
public function testUserLabelAccess() {
// Set up a non-admin user.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2]));
$anonymous_user = User::getAnonymousUser();
$user = $this->createUser();
// The current user is allowed to view the anonymous user label.
$this->assertEntityAccess([
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
'view' => FALSE,
'view label' => TRUE,
], $anonymous_user);
// The current user is allowed to view user labels.
$this->assertEntityAccess([
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
'view' => FALSE,
'view label' => TRUE,
], $user);
// Switch to a anonymous user account.
$account_switcher = \Drupal::service('account_switcher');
$account_switcher->switchTo(new AnonymousUserSession());
// The anonymous user is allowed to view the anonymous user label.
$this->assertEntityAccess([
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
'view' => FALSE,
'view label' => TRUE,
], $anonymous_user);
// The anonymous user is allowed to view user labels.
$this->assertEntityAccess([
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
'view' => FALSE,
'view label' => TRUE,
], $user);
// Restore user account.
$account_switcher->switchBack();
}
Angie Byron
committed
/**
* Ensures entity access is properly working.
*/
public function testEntityAccess() {
Angie Byron
committed
// Set up a non-admin user that is allowed to view test entities.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2], ['view test entity']));
// Use the 'entity_test_label' entity type in order to test the 'view label'
// access operation.
$entity = EntityTestLabel::create([
Angie Byron
committed
'name' => 'test',
]);
Angie Byron
committed
Angie Byron
committed
// The current user is allowed to view entities.
$this->assertEntityAccess([
Angie Byron
committed
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
Angie Byron
committed
'view' => TRUE,
'view label' => TRUE,
], $entity);
Angie Byron
committed
// The custom user is not allowed to perform any operation on test entities,
// except for viewing their label.
Angie Byron
committed
$custom_user = $this->createUser();
$this->assertEntityAccess([
Angie Byron
committed
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
Angie Byron
committed
'view' => FALSE,
'view label' => TRUE,
], $entity, $custom_user);
Angie Byron
committed
}
/**
* Ensures default entity access is checked when necessary.
*
* This ensures that the default checkAccess() implementation of the
* entity access control handler is considered if hook_entity_access() has not
* explicitly forbidden access. Therefore the default checkAccess()
* implementation can forbid access, even after access was already explicitly
* allowed by hook_entity_access().
*
* @see \Drupal\entity_test\EntityTestAccessControlHandler::checkAccess()
* @see entity_test_entity_access()
*/
public function testDefaultEntityAccess() {
// Set up a non-admin user that is allowed to view test entities.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2], ['view test entity']));
$entity = EntityTest::create([
'name' => 'forbid_access',
]);
// The user is denied access to the entity.
$this->assertEntityAccess([
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
'view' => FALSE,
], $entity);
}
Angie Byron
committed
/**
* Ensures that the default handler is used as a fallback.
Angie Byron
committed
*/
public function testEntityAccessDefaultController() {
Alex Pott
committed
// The implementation requires that the global user id can be loaded.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2]));
Alex Pott
committed
// Check that the default access control handler is used for entities that don't
// have a specific access control handler defined.
$handler = $this->container->get('entity.manager')->getAccessControlHandler('entity_test_default_access');
$this->assertTrue($handler instanceof EntityAccessControlHandler, 'The default entity handler is used for the entity_test_default_access entity type.');
Angie Byron
committed
$entity = EntityTestDefaultAccess::create();
$this->assertEntityAccess([
Angie Byron
committed
'create' => FALSE,
'update' => FALSE,
'delete' => FALSE,
'view' => FALSE,
], $entity);
Angie Byron
committed
}
/**
* Ensures entity access for entity translations is properly working.
*/
public function testEntityTranslationAccess() {
Angie Byron
committed
// Set up a non-admin user that is allowed to view test entity translations.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2], ['view test entity translations']));
Angie Byron
committed
// Create two test languages.
foreach (['foo', 'bar'] as $langcode) {
ConfigurableLanguage::create([
'id' => $langcode,
'label' => $this->randomString(),
])->save();
Angie Byron
committed
}
$entity = EntityTest::create([
Angie Byron
committed
'name' => 'test',
'langcode' => 'foo',
]);
Angie Byron
committed
$entity->save();
$translation = $entity->addTranslation('bar');
$this->assertEntityAccess([
Angie Byron
committed
'view' => TRUE,
], $translation);
Angie Byron
committed
}
Alex Pott
committed
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
/**
* Ensures the static access cache works correctly in the absence of an UUID.
*
* @see entity_test_entity_access()
*/
public function testEntityWithoutUuidAccessCache() {
$account = $this->createUser();
$entity1 = EntityTestNoUuid::create([
'name' => 'Accessible',
]);
$entity1->save();
$entity2 = EntityTestNoUuid::create([
'name' => 'Inaccessible',
]);
$entity2->save();
$this->assertTrue($entity1->access('delete', $account), 'Entity 1 can be deleted.');
$this->assertFalse($entity2->access('delete', $account), 'Entity 2 CANNOT be deleted.');
$entity1
->setName('Inaccessible')
->setNewRevision();
$entity1->save();
$this->assertFalse($entity1->access('delete', $account), 'Entity 1 revision 2 CANNOT be deleted.');
}
/**
* Ensures the static access cache works correctly with a UUID and revisions.
*
* @see entity_test_entity_access()
*/
public function testEntityWithUuidAccessCache() {
$account = $this->createUser();
$entity1 = EntityTestRev::create([
'name' => 'Accessible',
]);
$entity1->save();
$entity2 = EntityTestRev::create([
'name' => 'Inaccessible',
]);
$entity2->save();
$this->assertTrue($entity1->access('delete', $account), 'Entity 1 can be deleted.');
$this->assertFalse($entity2->access('delete', $account), 'Entity 2 CANNOT be deleted.');
$entity1
->setName('Inaccessible')
->setNewRevision();
$entity1->save();
$this->assertFalse($entity1->access('delete', $account), 'Entity 1 revision 2 CANNOT be deleted.');
}
Alex Pott
committed
/**
* Tests hook invocations.
*/
Alex Pott
committed
$state = $this->container->get('state');
$entity = EntityTest::create([
Alex Pott
committed
'name' => 'test',
]);
Alex Pott
committed
// Test hook_entity_create_access() and hook_ENTITY_TYPE_create_access().
$entity->access('create');
$this->assertEqual($state->get('entity_test_entity_create_access'), TRUE);
$this->assertIdentical($state->get('entity_test_entity_create_access_context'), [
'entity_type_id' => 'entity_test',
'langcode' => LanguageInterface::LANGCODE_DEFAULT,
]);
Alex Pott
committed
$this->assertEqual($state->get('entity_test_entity_test_create_access'), TRUE);
// Test hook_entity_access() and hook_ENTITY_TYPE_access().
$entity->access('view');
$this->assertEqual($state->get('entity_test_entity_access'), TRUE);
$this->assertEqual($state->get('entity_test_entity_test_access'), TRUE);
}
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
/**
* Tests the default access handling for the ID and UUID fields.
*
* @covers ::fieldAccess
* @dataProvider providerTestFieldAccess
*/
public function testFieldAccess($entity_class, array $entity_create_values, $expected_id_create_access) {
// Set up a non-admin user that is allowed to create and update test
// entities.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2], ['administer entity_test content']));
// Create the entity to test field access with.
$entity = $entity_class::create($entity_create_values);
// On newly-created entities, field access must allow setting the UUID
// field.
$this->assertTrue($entity->get('uuid')->access('edit'));
$this->assertTrue($entity->get('uuid')->access('edit', NULL, TRUE)->isAllowed());
// On newly-created entities, field access will not allow setting the ID
// field if the ID is of type serial. It will allow access if it is of type
// string.
$this->assertEquals($expected_id_create_access, $entity->get('id')->access('edit'));
$this->assertEquals($expected_id_create_access, $entity->get('id')->access('edit', NULL, TRUE)->isAllowed());
// Save the entity and check that we can not update the ID or UUID fields
// anymore.
$entity->save();
// If the ID has been set as part of the create ensure it has been set
// correctly.
if (isset($entity_create_values['id'])) {
$this->assertSame($entity_create_values['id'], $entity->id());
}
// The UUID is hard-coded by the data provider.
$this->assertSame('60e3a179-79ed-4653-ad52-5e614c8e8fbe', $entity->uuid());
$this->assertFalse($entity->get('uuid')->access('edit'));
$access_result = $entity->get('uuid')->access('edit', NULL, TRUE);
$this->assertTrue($access_result->isForbidden());
$this->assertEquals('The entity UUID cannot be changed', $access_result->getReason());
// Ensure the ID is still not allowed to be edited.
$this->assertFalse($entity->get('id')->access('edit'));
$access_result = $entity->get('id')->access('edit', NULL, TRUE);
$this->assertTrue($access_result->isForbidden());
$this->assertEquals('The entity ID cannot be changed', $access_result->getReason());
}
public function providerTestFieldAccess() {
return [
'serial ID entity' => [
EntityTest::class,
[
'name' => 'A test entity',
'uuid' => '60e3a179-79ed-4653-ad52-5e614c8e8fbe',
],
FALSE
],
'string ID entity' => [
EntityTestStringId::class,
[
'id' => 'a_test_entity',
'name' => 'A test entity',
'uuid' => '60e3a179-79ed-4653-ad52-5e614c8e8fbe',
],
TRUE
],
];
}