/** * Test assigning of permissions for the administrator role. */ function testAdministratorRole() { $this->drupalLogin($this->adminUser); $this->drupalGet('admin/config/people/accounts'); // Verify that the administration role is none by default. $this->assertOptionSelected('edit-user-admin-role', '', 'Administration role defaults to none.'); $this->assertFalse(Role::load($this->rid)->isAdmin()); // Set the user's role to be the administrator role. $edit = array(); $edit['user_admin_role'] = $this->rid; $this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration')); \Drupal::entityManager()->getStorage('user_role')->resetCache(); $this->assertTrue(Role::load($this->rid)->isAdmin()); // Enable aggregator module and ensure the 'administer news feeds' // permission is assigned by default. \Drupal::service('module_installer')->install(array('aggregator')); $this->assertTrue($this->adminUser->hasPermission('administer news feeds'), 'The permission was automatically assigned to the administrator role'); // Ensure that selecting '- None -' removes the admin role. $edit = array(); $edit['user_admin_role'] = ''; $this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration')); \Drupal::entityManager()->getStorage('user_role')->resetCache(); \Drupal::configFactory()->reset(); $this->assertFalse(Role::load($this->rid)->isAdmin()); // Manually create two admin roles, in that case the single select should be // hidden. Role::create(['id' => 'admin_role_0', 'is_admin' => TRUE, 'label' => 'Admin role 0'])->save(); Role::create(['id' => 'admin_role_1', 'is_admin' => TRUE, 'label' => 'Admin role 1'])->save(); $this->drupalGet('admin/config/people/accounts'); $this->assertNoFieldByName('user_admin_role'); }
/** * Tests rebuilding the node access permissions table with content. */ public function testNodeAccessRebuildNodeGrants() { \Drupal::service('module_installer')->install(['node_access_test']); \Drupal::state()->set('node_access_test.private', TRUE); node_access_test_add_field(NodeType::load('page')); $this->resetAll(); // Create 30 nodes so that _node_access_rebuild_batch_operation() has to run // more than once. for ($i = 0; $i < 30; $i++) { $nodes[] = $this->drupalCreateNode(array('uid' => $this->webUser->id(), 'private' => [['value' => 1]])); } /** @var \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage */ $grant_storage = \Drupal::service('node.grant_storage'); // Default realm access and node records are present. foreach ($nodes as $node) { $this->assertTrue($node->private->value); $this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'Prior to rebuilding node access the grant storage returns allowed for the node author.'); $this->assertTrue($grant_storage->access($node, 'view', $this->adminUser)->isAllowed(), 'Prior to rebuilding node access the grant storage returns allowed for the admin user.'); } $this->assertEqual(1, \Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is an all realm access record'); $this->assertTrue(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions need to be rebuilt'); // Rebuild permissions. $this->drupalGet('admin/reports/status'); $this->clickLink(t('Rebuild permissions')); $this->drupalPostForm(NULL, array(), t('Rebuild permissions')); $this->assertText(t('The content access permissions have been rebuilt.')); // Test if the rebuild by user that cannot bypass node access and does not // have access to the nodes has been successful. $this->assertFalse($this->adminUser->hasPermission('bypass node access')); $this->assertNull(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions have been rebuilt'); foreach ($nodes as $node) { $this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'After rebuilding node access the grant storage returns allowed for the node author.'); $this->assertFalse($grant_storage->access($node, 'view', $this->adminUser)->isForbidden(), 'After rebuilding node access the grant storage returns forbidden for the admin user.'); } $this->assertFalse(\Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is no all realm access record'); // Test an anonymous node access rebuild from code. $this->drupalLogout(); node_access_rebuild(); foreach ($nodes as $node) { $this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'After rebuilding node access the grant storage returns allowed for the node author.'); $this->assertFalse($grant_storage->access($node, 'view', $this->adminUser)->isForbidden(), 'After rebuilding node access the grant storage returns forbidden for the admin user.'); } $this->assertFalse(\Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is no all realm access record'); }
/** * Tests the Filter format access permissions functionality. */ function testFormatPermissions() { // Make sure that a regular user only has access to the text formats for // which they were granted access. $fallback_format = entity_load('filter_format', filter_fallback_format()); $this->assertTrue($this->allowedFormat->access('use', $this->webUser), 'A regular user has access to use a text format they were granted access to.'); $this->assertEqual(AccessResult::allowed()->cachePerRole(), $this->allowedFormat->access('use', $this->webUser, TRUE), 'A regular user has access to use a text format they were granted access to.'); $this->assertFalse($this->disallowedFormat->access('use', $this->webUser), 'A regular user does not have access to use a text format they were not granted access to.'); $this->assertEqual(AccessResult::neutral(), $this->disallowedFormat->access('use', $this->webUser, TRUE)); //, 'A regular user does not have access to use a text format they were not granted access to.'); $this->assertTrue($fallback_format->access('use', $this->webUser), 'A regular user has access to use the fallback format.'); $this->assertEqual(AccessResult::allowed(), $fallback_format->access('use', $this->webUser, TRUE), 'A regular user has access to use the fallback format.'); // Perform similar checks as above, but now against the entire list of // available formats for this user. $this->assertTrue(in_array($this->allowedFormat->id(), array_keys(filter_formats($this->webUser))), 'The allowed format appears in the list of available formats for a regular user.'); $this->assertFalse(in_array($this->disallowedFormat->id(), array_keys(filter_formats($this->webUser))), 'The disallowed format does not appear in the list of available formats for a regular user.'); $this->assertTrue(in_array(filter_fallback_format(), array_keys(filter_formats($this->webUser))), 'The fallback format appears in the list of available formats for a regular user.'); // Make sure that a regular user only has permission to use the format // they were granted access to. $this->assertTrue($this->webUser->hasPermission($this->allowedFormat->getPermissionName()), 'A regular user has permission to use the allowed text format.'); $this->assertFalse($this->webUser->hasPermission($this->disallowedFormat->getPermissionName()), 'A regular user does not have permission to use the disallowed text format.'); // Make sure that the allowed format appears on the node form and that // the disallowed format does not. $this->drupalLogin($this->webUser); $this->drupalGet('node/add/page'); $elements = $this->xpath('//select[@name=:name]/option', array(':name' => 'body[0][format]', ':option' => $this->allowedFormat->id())); $options = array(); foreach ($elements as $element) { $options[(string) $element['value']] = $element; } $this->assertTrue(isset($options[$this->allowedFormat->id()]), 'The allowed text format appears as an option when adding a new node.'); $this->assertFalse(isset($options[$this->disallowedFormat->id()]), 'The disallowed text format does not appear as an option when adding a new node.'); $this->assertFalse(isset($options[filter_fallback_format()]), 'The fallback format does not appear as an option when adding a new node.'); // Check regular user access to the filter tips pages. $this->drupalGet('filter/tips/' . $this->allowedFormat->id()); $this->assertResponse(200); $this->drupalGet('filter/tips/' . $this->disallowedFormat->id()); $this->assertResponse(403); $this->drupalGet('filter/tips/' . filter_fallback_format()); $this->assertResponse(200); $this->drupalGet('filter/tips/invalid-format'); $this->assertResponse(404); // Check admin user access to the filter tips pages. $this->drupalLogin($this->adminUser); $this->drupalGet('filter/tips/' . $this->allowedFormat->id()); $this->assertResponse(200); $this->drupalGet('filter/tips/' . $this->disallowedFormat->id()); $this->assertResponse(200); $this->drupalGet('filter/tips/' . filter_fallback_format()); $this->assertResponse(200); $this->drupalGet('filter/tips/invalid-format'); $this->assertResponse(404); }
/** * {@inheritdoc} */ public function isAllowed(UserInterface $user, $force = FALSE) { /** * Get early permissions of user, and bail out to avoid extra hook-calls. */ // Check allow-ability of state change if user is not superuser (might be cron). $type_id = $this->getWorkflowId(); if ($user->hasPermission("bypass {$type_id} workflow_transition access")) { // Superuser is special. And $force allows Rules to cause transition. return TRUE; } if ($force) { // $force allows Rules to cause transition. return TRUE; } // @todo: Keep below code aligned between WorkflowState, ~Transition, ~TransitionListController /** * Get the object and its permissions. */ $config_transitions = $this->getWorkflow()->getTransitionsByStateId($this->getFromSid(), $this->getToSid()); /** * Determine if user has Access. */ $result = FALSE; foreach ($config_transitions as $config_transition) { $result = $result || $config_transition->isAllowed($user, $force); } if ($result == FALSE) { // @todo: There is a watchdog error, but no UI-error. Is this ok? $message = t('Attempt to go to nonexistent transition (from %from_sid to %to_sid)'); $t_args = array('%from_sid' => $this->getFromSid(), '%to_sid' => $this->getToSid(), 'link' => $this->getTargetEntityId() ? $this->getTargetEntity()->link(t('View')) : ''); \Drupal::logger('workflow')->error($message, $t_args); } return $result; }
/** * {@inheritdoc} */ public function hasPermission($permission) { return $this->token->hasPermission($permission) ? $this->subject->hasPermission($permission) : FALSE; }
/** * {@inheritdoc} */ public function isAllowed(UserInterface $user, $force = FALSE) { $result = FALSE; $type_id = $this->getWorkflowId(); if ($user->hasPermission("bypass {$type_id} workflow_transition access")) { // Superuser is special. And $force allows Rules to cause transition. return TRUE; } if ($force) { return TRUE; } if ($this->getFromSid() == $this->getToSid()) { // Anyone may save an entity without changing state. return TRUE; } return TRUE == array_intersect($user->getRoles(), $this->roles); }