Newer
Older
<?php
namespace Drupal\Tests\profile\Kernel;
use Drupal\KernelTests\Core\Entity\EntityKernelTestBase;
use Drupal\profile\ProfileTestTrait;
use Drupal\user\Entity\Role;
/**
* Tests profile role access handling.
*
* @group profile
*/
class ProfileRoleAccessTest extends EntityKernelTestBase {
use ProfileTestTrait;
/**
* Modules to enable.
*
* @var array
*/
Matt Glaman
committed
'entity',
'profile',
'views',
];
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/**
* Randomly generated profile type entity.
*
* No roles.
*
* @var \Drupal\profile\Entity\ProfileType
*/
protected $type1;
/**
* Randomly generated profile type entity.
*
* Requires some, but not all roles.
*
* @var \Drupal\profile\Entity\ProfileType
*/
protected $type2;
/**
* Randomly generated profile type entity.
*
* Requires all profile roles.
*
* @var \Drupal\profile\Entity\ProfileType
*/
protected $type3;
/**
* Randomly generated user role entity.
*
* @var \Drupal\user\Entity\Role
*/
protected $role1;
/**
* Randomly generated user role entity.
*
* @var \Drupal\user\Entity\Role
*/
protected $role2;
/**
* The profile access handler.
*
* @var \Drupal\profile\ProfileAccessControlHandler
*/
protected $accessHandler;
Jonathan Sacksick
committed
/**
* The access manager.
*
* @var \Drupal\Core\Access\AccessManagerInterface
*/
protected $accessManager;
/**
* {@inheritdoc}
*/
protected function setUp(): void {
parent::setUp();
Jonathan Sacksick
committed
$this->installEntitySchema('profile');
$this->role1 = Role::create([
'id' => strtolower($this->randomMachineName(8)),
'label' => $this->randomMachineName(8),
]);
$this->role1->save();
$this->role2 = Role::create([
'id' => strtolower($this->randomMachineName(8)),
'label' => $this->randomMachineName(8),
]);
$this->role2->save();
$this->type1 = $this->createProfileType(NULL, NULL, FALSE, []);
$this->type2 = $this->createProfileType(NULL, NULL, FALSE, [$this->role2->id()]);
Matt Glaman
committed
$this->type3 = $this->createProfileType(NULL, NULL, FALSE, [
$this->role1->id(),
$this->role2->id(),
Matt Glaman
committed
]);
Matt Glaman
committed
$this->accessHandler = $this->container->get('entity_type.manager')
->getAccessControlHandler('profile');
Jonathan Sacksick
committed
$this->accessManager = $this->container->get('access_manager');
// Do not allow uid == 1 to skew tests.
$this->createUser();
}
/**
Jonathan Sacksick
committed
* Tests profile create role access checks.
*/
Jonathan Sacksick
committed
public function testProfileCreate() {
Jonathan Sacksick
committed
"create {$this->type1->id()} profile",
"create {$this->type2->id()} profile",
"create {$this->type3->id()} profile",
]);
// The user initially has no roles, so they can only access the first
// profile type, which isn't restricted by role.
$this->assertTrue($this->accessHandler->createAccess($this->type1->id(), $user, ['profile_owner' => $user]));
$this->assertFalse($this->accessHandler->createAccess($this->type2->id(), $user, ['profile_owner' => $user]));
$this->assertFalse($this->accessHandler->createAccess($this->type3->id(), $user, ['profile_owner' => $user]));
// No role check is performed when the profile_owner isn't passed.
$this->accessHandler->resetCache();
Jonathan Sacksick
committed
$this->assertTrue($this->accessHandler->createAccess($this->type1->id(), $user));
$this->assertTrue($this->accessHandler->createAccess($this->type2->id(), $user));
$this->assertTrue($this->accessHandler->createAccess($this->type3->id(), $user));
Jonathan Sacksick
committed
// With role1, the user can access the first and the third profile type.
$this->accessHandler->resetCache();
Jonathan Sacksick
committed
$user->addRole($this->role1->id());
$user->save();
$this->assertTrue($this->accessHandler->createAccess($this->type1->id(), $user, ['profile_owner' => $user]));
$this->assertFalse($this->accessHandler->createAccess($this->type2->id(), $user, ['profile_owner' => $user]));
$this->assertTrue($this->accessHandler->createAccess($this->type3->id(), $user, ['profile_owner' => $user]));
Jonathan Sacksick
committed
// With role2, the user can access all three profile types.
$this->accessHandler->resetCache();
$user->addRole($this->role2->id());
$user->save();
$this->assertTrue($this->accessHandler->createAccess($this->type1->id(), $user, ['profile_owner' => $user]));
$this->assertTrue($this->accessHandler->createAccess($this->type2->id(), $user, ['profile_owner' => $user]));
$this->assertTrue($this->accessHandler->createAccess($this->type3->id(), $user, ['profile_owner' => $user]));
}
/**
Jonathan Sacksick
committed
* Tests profile operations role access checks.
*/
Jonathan Sacksick
committed
public function testProfileOperations() {
Jonathan Sacksick
committed
"update own {$this->type1->id()} profile",
"update own {$this->type2->id()} profile",
]);
$profile1 = $this->createProfile($this->type1, $user);
// Test access to a profile type with no role requirement.
$this->assertTrue($this->accessHandler->access($profile1, 'update', $user));
Jonathan Sacksick
committed
$profile2 = $this->createProfile($this->type2, $user);
$this->assertFalse($this->accessHandler->access($profile2, 'update', $user));
$this->accessHandler->resetCache();
Jonathan Sacksick
committed
$user->addRole($this->role2->id());
$user->save();
$profile2 = $this->reloadEntity($profile2);
$this->assertTrue($this->accessHandler->access($profile2, 'update', $user));
Jonathan Sacksick
committed
$operations = ['view', 'update', 'delete'];
Jonathan Sacksick
committed
"view any {$this->type2->id()} profile",
"update any {$this->type2->id()} profile",
"delete any {$this->type2->id()} profile",
]);
foreach ($operations as $operation) {
$this->assertTrue($this->accessHandler->access($profile2, $operation, $user2));
}
Jonathan Sacksick
committed
$user->removeRole($this->role2->id());
$user->save();
$this->accessHandler->resetCache();
Jonathan Sacksick
committed
$profile2 = $this->reloadEntity($profile2);
// Assert that each operation is denied if the profile owner doesn't have
// one of the allowed roles.
foreach ($operations as $operation) {
$this->assertFalse($this->accessHandler->access($profile2, $operation, $user2));
}
Jonathan Sacksick
committed
"view own {$this->type3->id()} profile",
"update own {$this->type3->id()} profile",
"delete own {$this->type3->id()} profile",
]);
$profile3 = $this->createProfile($this->type3, $user3);
// Test the operations without the role affected.
foreach ($operations as $operation) {
$this->assertFalse($this->accessHandler->access($profile3, $operation, $user3));
}
$user3->addRole($this->role1->id());
$user3->save();
$this->accessHandler->resetCache();
Jonathan Sacksick
committed
$profile3 = $this->reloadEntity($profile3);
foreach ($operations as $operation) {
$this->assertTrue($this->accessHandler->access($profile3, $operation, $user3));
}
}