/**
* Test assigning of permissions for the administrator role.
*/
function testAdministratorRole()
{
$this->drupalLogin($this->adminUser);
$this->drupalGet('admin/config/people/accounts');
// Verify that the administration role is none by default.
$this->assertOptionSelected('edit-user-admin-role', '', 'Administration role defaults to none.');
$this->assertFalse(Role::load($this->rid)->isAdmin());
// Set the user's role to be the administrator role.
$edit = array();
$edit['user_admin_role'] = $this->rid;
$this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration'));
\Drupal::entityManager()->getStorage('user_role')->resetCache();
$this->assertTrue(Role::load($this->rid)->isAdmin());
// Enable aggregator module and ensure the 'administer news feeds'
// permission is assigned by default.
\Drupal::service('module_installer')->install(array('aggregator'));
$this->assertTrue($this->adminUser->hasPermission('administer news feeds'), 'The permission was automatically assigned to the administrator role');
// Ensure that selecting '- None -' removes the admin role.
$edit = array();
$edit['user_admin_role'] = '';
$this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration'));
\Drupal::entityManager()->getStorage('user_role')->resetCache();
\Drupal::configFactory()->reset();
$this->assertFalse(Role::load($this->rid)->isAdmin());
// Manually create two admin roles, in that case the single select should be
// hidden.
Role::create(['id' => 'admin_role_0', 'is_admin' => TRUE, 'label' => 'Admin role 0'])->save();
Role::create(['id' => 'admin_role_1', 'is_admin' => TRUE, 'label' => 'Admin role 1'])->save();
$this->drupalGet('admin/config/people/accounts');
$this->assertNoFieldByName('user_admin_role');
}
/**
* Tests rebuilding the node access permissions table with content.
*/
public function testNodeAccessRebuildNodeGrants()
{
\Drupal::service('module_installer')->install(['node_access_test']);
\Drupal::state()->set('node_access_test.private', TRUE);
node_access_test_add_field(NodeType::load('page'));
$this->resetAll();
// Create 30 nodes so that _node_access_rebuild_batch_operation() has to run
// more than once.
for ($i = 0; $i < 30; $i++) {
$nodes[] = $this->drupalCreateNode(array('uid' => $this->webUser->id(), 'private' => [['value' => 1]]));
}
/** @var \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage */
$grant_storage = \Drupal::service('node.grant_storage');
// Default realm access and node records are present.
foreach ($nodes as $node) {
$this->assertTrue($node->private->value);
$this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'Prior to rebuilding node access the grant storage returns allowed for the node author.');
$this->assertTrue($grant_storage->access($node, 'view', $this->adminUser)->isAllowed(), 'Prior to rebuilding node access the grant storage returns allowed for the admin user.');
}
$this->assertEqual(1, \Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is an all realm access record');
$this->assertTrue(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions need to be rebuilt');
// Rebuild permissions.
$this->drupalGet('admin/reports/status');
$this->clickLink(t('Rebuild permissions'));
$this->drupalPostForm(NULL, array(), t('Rebuild permissions'));
$this->assertText(t('The content access permissions have been rebuilt.'));
// Test if the rebuild by user that cannot bypass node access and does not
// have access to the nodes has been successful.
$this->assertFalse($this->adminUser->hasPermission('bypass node access'));
$this->assertNull(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions have been rebuilt');
foreach ($nodes as $node) {
$this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'After rebuilding node access the grant storage returns allowed for the node author.');
$this->assertFalse($grant_storage->access($node, 'view', $this->adminUser)->isForbidden(), 'After rebuilding node access the grant storage returns forbidden for the admin user.');
}
$this->assertFalse(\Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is no all realm access record');
// Test an anonymous node access rebuild from code.
$this->drupalLogout();
node_access_rebuild();
foreach ($nodes as $node) {
$this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'After rebuilding node access the grant storage returns allowed for the node author.');
$this->assertFalse($grant_storage->access($node, 'view', $this->adminUser)->isForbidden(), 'After rebuilding node access the grant storage returns forbidden for the admin user.');
}
$this->assertFalse(\Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is no all realm access record');
}
/**
* Tests the Filter format access permissions functionality.
*/
function testFormatPermissions()
{
// Make sure that a regular user only has access to the text formats for
// which they were granted access.
$fallback_format = entity_load('filter_format', filter_fallback_format());
$this->assertTrue($this->allowedFormat->access('use', $this->webUser), 'A regular user has access to use a text format they were granted access to.');
$this->assertEqual(AccessResult::allowed()->cachePerRole(), $this->allowedFormat->access('use', $this->webUser, TRUE), 'A regular user has access to use a text format they were granted access to.');
$this->assertFalse($this->disallowedFormat->access('use', $this->webUser), 'A regular user does not have access to use a text format they were not granted access to.');
$this->assertEqual(AccessResult::neutral(), $this->disallowedFormat->access('use', $this->webUser, TRUE));
//, 'A regular user does not have access to use a text format they were not granted access to.');
$this->assertTrue($fallback_format->access('use', $this->webUser), 'A regular user has access to use the fallback format.');
$this->assertEqual(AccessResult::allowed(), $fallback_format->access('use', $this->webUser, TRUE), 'A regular user has access to use the fallback format.');
// Perform similar checks as above, but now against the entire list of
// available formats for this user.
$this->assertTrue(in_array($this->allowedFormat->id(), array_keys(filter_formats($this->webUser))), 'The allowed format appears in the list of available formats for a regular user.');
$this->assertFalse(in_array($this->disallowedFormat->id(), array_keys(filter_formats($this->webUser))), 'The disallowed format does not appear in the list of available formats for a regular user.');
$this->assertTrue(in_array(filter_fallback_format(), array_keys(filter_formats($this->webUser))), 'The fallback format appears in the list of available formats for a regular user.');
// Make sure that a regular user only has permission to use the format
// they were granted access to.
$this->assertTrue($this->webUser->hasPermission($this->allowedFormat->getPermissionName()), 'A regular user has permission to use the allowed text format.');
$this->assertFalse($this->webUser->hasPermission($this->disallowedFormat->getPermissionName()), 'A regular user does not have permission to use the disallowed text format.');
// Make sure that the allowed format appears on the node form and that
// the disallowed format does not.
$this->drupalLogin($this->webUser);
$this->drupalGet('node/add/page');
$elements = $this->xpath('//select[@name=:name]/option', array(':name' => 'body[0][format]', ':option' => $this->allowedFormat->id()));
$options = array();
foreach ($elements as $element) {
$options[(string) $element['value']] = $element;
}
$this->assertTrue(isset($options[$this->allowedFormat->id()]), 'The allowed text format appears as an option when adding a new node.');
$this->assertFalse(isset($options[$this->disallowedFormat->id()]), 'The disallowed text format does not appear as an option when adding a new node.');
$this->assertFalse(isset($options[filter_fallback_format()]), 'The fallback format does not appear as an option when adding a new node.');
// Check regular user access to the filter tips pages.
$this->drupalGet('filter/tips/' . $this->allowedFormat->id());
$this->assertResponse(200);
$this->drupalGet('filter/tips/' . $this->disallowedFormat->id());
$this->assertResponse(403);
$this->drupalGet('filter/tips/' . filter_fallback_format());
$this->assertResponse(200);
$this->drupalGet('filter/tips/invalid-format');
$this->assertResponse(404);
// Check admin user access to the filter tips pages.
$this->drupalLogin($this->adminUser);
$this->drupalGet('filter/tips/' . $this->allowedFormat->id());
$this->assertResponse(200);
$this->drupalGet('filter/tips/' . $this->disallowedFormat->id());
$this->assertResponse(200);
$this->drupalGet('filter/tips/' . filter_fallback_format());
$this->assertResponse(200);
$this->drupalGet('filter/tips/invalid-format');
$this->assertResponse(404);
}
/**
* {@inheritdoc}
*/
public function isAllowed(UserInterface $user, $force = FALSE)
{
/**
* Get early permissions of user, and bail out to avoid extra hook-calls.
*/
// Check allow-ability of state change if user is not superuser (might be cron).
$type_id = $this->getWorkflowId();
if ($user->hasPermission("bypass {$type_id} workflow_transition access")) {
// Superuser is special. And $force allows Rules to cause transition.
return TRUE;
}
if ($force) {
// $force allows Rules to cause transition.
return TRUE;
}
// @todo: Keep below code aligned between WorkflowState, ~Transition, ~TransitionListController
/**
* Get the object and its permissions.
*/
$config_transitions = $this->getWorkflow()->getTransitionsByStateId($this->getFromSid(), $this->getToSid());
/**
* Determine if user has Access.
*/
$result = FALSE;
foreach ($config_transitions as $config_transition) {
$result = $result || $config_transition->isAllowed($user, $force);
}
if ($result == FALSE) {
// @todo: There is a watchdog error, but no UI-error. Is this ok?
$message = t('Attempt to go to nonexistent transition (from %from_sid to %to_sid)');
$t_args = array('%from_sid' => $this->getFromSid(), '%to_sid' => $this->getToSid(), 'link' => $this->getTargetEntityId() ? $this->getTargetEntity()->link(t('View')) : '');
\Drupal::logger('workflow')->error($message, $t_args);
}
return $result;
}
/**
* {@inheritdoc}
*/
public function hasPermission($permission)
{
return $this->token->hasPermission($permission) ? $this->subject->hasPermission($permission) : FALSE;
}
/**
* {@inheritdoc}
*/
public function isAllowed(UserInterface $user, $force = FALSE)
{
$result = FALSE;
$type_id = $this->getWorkflowId();
if ($user->hasPermission("bypass {$type_id} workflow_transition access")) {
// Superuser is special. And $force allows Rules to cause transition.
return TRUE;
}
if ($force) {
return TRUE;
}
if ($this->getFromSid() == $this->getToSid()) {
// Anyone may save an entity without changing state.
return TRUE;
}
return TRUE == array_intersect($user->getRoles(), $this->roles);
}
