Exemplo n.º 1
0
 /**
  * Test assigning of permissions for the administrator role.
  */
 function testAdministratorRole()
 {
     $this->drupalLogin($this->adminUser);
     $this->drupalGet('admin/config/people/accounts');
     // Verify that the administration role is none by default.
     $this->assertOptionSelected('edit-user-admin-role', '', 'Administration role defaults to none.');
     $this->assertFalse(Role::load($this->rid)->isAdmin());
     // Set the user's role to be the administrator role.
     $edit = array();
     $edit['user_admin_role'] = $this->rid;
     $this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration'));
     \Drupal::entityManager()->getStorage('user_role')->resetCache();
     $this->assertTrue(Role::load($this->rid)->isAdmin());
     // Enable aggregator module and ensure the 'administer news feeds'
     // permission is assigned by default.
     \Drupal::service('module_installer')->install(array('aggregator'));
     $this->assertTrue($this->adminUser->hasPermission('administer news feeds'), 'The permission was automatically assigned to the administrator role');
     // Ensure that selecting '- None -' removes the admin role.
     $edit = array();
     $edit['user_admin_role'] = '';
     $this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration'));
     \Drupal::entityManager()->getStorage('user_role')->resetCache();
     \Drupal::configFactory()->reset();
     $this->assertFalse(Role::load($this->rid)->isAdmin());
     // Manually create two admin roles, in that case the single select should be
     // hidden.
     Role::create(['id' => 'admin_role_0', 'is_admin' => TRUE, 'label' => 'Admin role 0'])->save();
     Role::create(['id' => 'admin_role_1', 'is_admin' => TRUE, 'label' => 'Admin role 1'])->save();
     $this->drupalGet('admin/config/people/accounts');
     $this->assertNoFieldByName('user_admin_role');
 }
 /**
  * Tests rebuilding the node access permissions table with content.
  */
 public function testNodeAccessRebuildNodeGrants()
 {
     \Drupal::service('module_installer')->install(['node_access_test']);
     \Drupal::state()->set('node_access_test.private', TRUE);
     node_access_test_add_field(NodeType::load('page'));
     $this->resetAll();
     // Create 30 nodes so that _node_access_rebuild_batch_operation() has to run
     // more than once.
     for ($i = 0; $i < 30; $i++) {
         $nodes[] = $this->drupalCreateNode(array('uid' => $this->webUser->id(), 'private' => [['value' => 1]]));
     }
     /** @var \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage */
     $grant_storage = \Drupal::service('node.grant_storage');
     // Default realm access and node records are present.
     foreach ($nodes as $node) {
         $this->assertTrue($node->private->value);
         $this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'Prior to rebuilding node access the grant storage returns allowed for the node author.');
         $this->assertTrue($grant_storage->access($node, 'view', $this->adminUser)->isAllowed(), 'Prior to rebuilding node access the grant storage returns allowed for the admin user.');
     }
     $this->assertEqual(1, \Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is an all realm access record');
     $this->assertTrue(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions need to be rebuilt');
     // Rebuild permissions.
     $this->drupalGet('admin/reports/status');
     $this->clickLink(t('Rebuild permissions'));
     $this->drupalPostForm(NULL, array(), t('Rebuild permissions'));
     $this->assertText(t('The content access permissions have been rebuilt.'));
     // Test if the rebuild by user that cannot bypass node access and does not
     // have access to the nodes has been successful.
     $this->assertFalse($this->adminUser->hasPermission('bypass node access'));
     $this->assertNull(\Drupal::state()->get('node.node_access_needs_rebuild'), 'Node access permissions have been rebuilt');
     foreach ($nodes as $node) {
         $this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'After rebuilding node access the grant storage returns allowed for the node author.');
         $this->assertFalse($grant_storage->access($node, 'view', $this->adminUser)->isForbidden(), 'After rebuilding node access the grant storage returns forbidden for the admin user.');
     }
     $this->assertFalse(\Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is no all realm access record');
     // Test an anonymous node access rebuild from code.
     $this->drupalLogout();
     node_access_rebuild();
     foreach ($nodes as $node) {
         $this->assertTrue($grant_storage->access($node, 'view', $this->webUser)->isAllowed(), 'After rebuilding node access the grant storage returns allowed for the node author.');
         $this->assertFalse($grant_storage->access($node, 'view', $this->adminUser)->isForbidden(), 'After rebuilding node access the grant storage returns forbidden for the admin user.');
     }
     $this->assertFalse(\Drupal::service('node.grant_storage')->checkAll($this->webUser), 'There is no all realm access record');
 }
 /**
  * Tests the Filter format access permissions functionality.
  */
 function testFormatPermissions()
 {
     // Make sure that a regular user only has access to the text formats for
     // which they were granted access.
     $fallback_format = entity_load('filter_format', filter_fallback_format());
     $this->assertTrue($this->allowedFormat->access('use', $this->webUser), 'A regular user has access to use a text format they were granted access to.');
     $this->assertEqual(AccessResult::allowed()->cachePerRole(), $this->allowedFormat->access('use', $this->webUser, TRUE), 'A regular user has access to use a text format they were granted access to.');
     $this->assertFalse($this->disallowedFormat->access('use', $this->webUser), 'A regular user does not have access to use a text format they were not granted access to.');
     $this->assertEqual(AccessResult::neutral(), $this->disallowedFormat->access('use', $this->webUser, TRUE));
     //, 'A regular user does not have access to use a text format they were not granted access to.');
     $this->assertTrue($fallback_format->access('use', $this->webUser), 'A regular user has access to use the fallback format.');
     $this->assertEqual(AccessResult::allowed(), $fallback_format->access('use', $this->webUser, TRUE), 'A regular user has access to use the fallback format.');
     // Perform similar checks as above, but now against the entire list of
     // available formats for this user.
     $this->assertTrue(in_array($this->allowedFormat->id(), array_keys(filter_formats($this->webUser))), 'The allowed format appears in the list of available formats for a regular user.');
     $this->assertFalse(in_array($this->disallowedFormat->id(), array_keys(filter_formats($this->webUser))), 'The disallowed format does not appear in the list of available formats for a regular user.');
     $this->assertTrue(in_array(filter_fallback_format(), array_keys(filter_formats($this->webUser))), 'The fallback format appears in the list of available formats for a regular user.');
     // Make sure that a regular user only has permission to use the format
     // they were granted access to.
     $this->assertTrue($this->webUser->hasPermission($this->allowedFormat->getPermissionName()), 'A regular user has permission to use the allowed text format.');
     $this->assertFalse($this->webUser->hasPermission($this->disallowedFormat->getPermissionName()), 'A regular user does not have permission to use the disallowed text format.');
     // Make sure that the allowed format appears on the node form and that
     // the disallowed format does not.
     $this->drupalLogin($this->webUser);
     $this->drupalGet('node/add/page');
     $elements = $this->xpath('//select[@name=:name]/option', array(':name' => 'body[0][format]', ':option' => $this->allowedFormat->id()));
     $options = array();
     foreach ($elements as $element) {
         $options[(string) $element['value']] = $element;
     }
     $this->assertTrue(isset($options[$this->allowedFormat->id()]), 'The allowed text format appears as an option when adding a new node.');
     $this->assertFalse(isset($options[$this->disallowedFormat->id()]), 'The disallowed text format does not appear as an option when adding a new node.');
     $this->assertFalse(isset($options[filter_fallback_format()]), 'The fallback format does not appear as an option when adding a new node.');
     // Check regular user access to the filter tips pages.
     $this->drupalGet('filter/tips/' . $this->allowedFormat->id());
     $this->assertResponse(200);
     $this->drupalGet('filter/tips/' . $this->disallowedFormat->id());
     $this->assertResponse(403);
     $this->drupalGet('filter/tips/' . filter_fallback_format());
     $this->assertResponse(200);
     $this->drupalGet('filter/tips/invalid-format');
     $this->assertResponse(404);
     // Check admin user access to the filter tips pages.
     $this->drupalLogin($this->adminUser);
     $this->drupalGet('filter/tips/' . $this->allowedFormat->id());
     $this->assertResponse(200);
     $this->drupalGet('filter/tips/' . $this->disallowedFormat->id());
     $this->assertResponse(200);
     $this->drupalGet('filter/tips/' . filter_fallback_format());
     $this->assertResponse(200);
     $this->drupalGet('filter/tips/invalid-format');
     $this->assertResponse(404);
 }
Exemplo n.º 4
0
 /**
  * {@inheritdoc}
  */
 public function isAllowed(UserInterface $user, $force = FALSE)
 {
     /**
      * Get early permissions of user, and bail out to avoid extra hook-calls.
      */
     // Check allow-ability of state change if user is not superuser (might be cron).
     $type_id = $this->getWorkflowId();
     if ($user->hasPermission("bypass {$type_id} workflow_transition access")) {
         // Superuser is special. And $force allows Rules to cause transition.
         return TRUE;
     }
     if ($force) {
         // $force allows Rules to cause transition.
         return TRUE;
     }
     // @todo: Keep below code aligned between WorkflowState, ~Transition, ~TransitionListController
     /**
      * Get the object and its permissions.
      */
     $config_transitions = $this->getWorkflow()->getTransitionsByStateId($this->getFromSid(), $this->getToSid());
     /**
      * Determine if user has Access.
      */
     $result = FALSE;
     foreach ($config_transitions as $config_transition) {
         $result = $result || $config_transition->isAllowed($user, $force);
     }
     if ($result == FALSE) {
         // @todo: There is a watchdog error, but no UI-error. Is this ok?
         $message = t('Attempt to go to nonexistent transition (from %from_sid to %to_sid)');
         $t_args = array('%from_sid' => $this->getFromSid(), '%to_sid' => $this->getToSid(), 'link' => $this->getTargetEntityId() ? $this->getTargetEntity()->link(t('View')) : '');
         \Drupal::logger('workflow')->error($message, $t_args);
     }
     return $result;
 }
 /**
  * {@inheritdoc}
  */
 public function hasPermission($permission)
 {
     return $this->token->hasPermission($permission) ? $this->subject->hasPermission($permission) : FALSE;
 }
 /**
  * {@inheritdoc}
  */
 public function isAllowed(UserInterface $user, $force = FALSE)
 {
     $result = FALSE;
     $type_id = $this->getWorkflowId();
     if ($user->hasPermission("bypass {$type_id} workflow_transition access")) {
         // Superuser is special. And $force allows Rules to cause transition.
         return TRUE;
     }
     if ($force) {
         return TRUE;
     }
     if ($this->getFromSid() == $this->getToSid()) {
         // Anyone may save an entity without changing state.
         return TRUE;
     }
     return TRUE == array_intersect($user->getRoles(), $this->roles);
 }