/** * Tests the formatter output. */ public function testFormatter() { $user = User::create(['name' => 'test name']); $user->save(); $result = $user->{$this->fieldName}->view(['type' => 'user_name']); $this->assertEqual('username', $result[0]['#theme']); $this->assertEqual(spl_object_hash($user), spl_object_hash($result[0]['#account'])); $result = $user->{$this->fieldName}->view(['type' => 'user_name', 'settings' => ['link_to_entity' => FALSE]]); $this->assertEqual($user->getDisplayName(), $result[0]['#markup']); $user = User::getAnonymousUser(); $result = $user->{$this->fieldName}->view(['type' => 'user_name']); $this->assertEqual('username', $result[0]['#theme']); $this->assertEqual(spl_object_hash($user), spl_object_hash($result[0]['#account'])); $result = $user->{$this->fieldName}->view(['type' => 'user_name', 'settings' => ['link_to_entity' => FALSE]]); $this->assertEqual($user->getDisplayName(), $result[0]['#markup']); $this->assertEqual($this->config('user.settings')->get('anonymous'), $result[0]['#markup']); }
/** * Ensures user labels are accessible for everyone. */ public function testUserLabelAccess() { // Set up a non-admin user. \Drupal::currentUser()->setAccount($this->createUser(['uid' => 2])); $anonymous_user = User::getAnonymousUser(); $user = $this->createUser(); // The current user is allowed to view the anonymous user label. $this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $anonymous_user); // The current user is allowed to view user labels. $this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $user); // Switch to a anonymous user account. $account_switcher = \Drupal::service('account_switcher'); $account_switcher->switchTo(new AnonymousUserSession()); // The anonymous user is allowed to view the anonymous user label. $this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $anonymous_user); // The anonymous user is allowed to view user labels. $this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $user); // Restore user account. $account_switcher->switchBack(); }
/** * {@inheritdoc} */ public function getOwner() { $user = $this->get('uid')->entity; if (!$user || $user->isAnonymous()) { $user = \Drupal\user\Entity\User::getAnonymousUser(); $user->name = \Drupal::config('user.settings')->get('anonymous'); } return $user; }
/** * Delete account and anonymize all content. */ function testUserAnonymize() { $node_storage = $this->container->get('entity.manager')->getStorage('node'); $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save(); // Create comment field on page. $this->addDefaultCommentField('node', 'page'); $user_storage = $this->container->get('entity.manager')->getStorage('user'); // Create a user. $account = $this->drupalCreateUser(array('cancel account')); $this->drupalLogin($account); // Load a real user object. $user_storage->resetCache(array($account->id())); $account = $user_storage->load($account->id()); // Create a simple node. $node = $this->drupalCreateNode(array('uid' => $account->id())); // Add a comment to the page. $comment_subject = $this->randomMachineName(8); $comment_body = $this->randomMachineName(8); $comment = Comment::create(array('subject' => $comment_subject, 'comment_body' => $comment_body, 'entity_id' => $node->id(), 'entity_type' => 'node', 'field_name' => 'comment', 'status' => CommentInterface::PUBLISHED, 'uid' => $account->id())); $comment->save(); // Create a node with two revisions, the initial one belonging to the // cancelling user. $revision_node = $this->drupalCreateNode(array('uid' => $account->id())); $revision = $revision_node->getRevisionId(); $settings = get_object_vars($revision_node); $settings['revision'] = 1; $settings['uid'] = 1; // Set new/current revision to someone else. $revision_node = $this->drupalCreateNode($settings); // Attempt to cancel account. $this->drupalGet('user/' . $account->id() . '/edit'); $this->drupalPostForm(NULL, NULL, t('Cancel account')); $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.'); $this->assertRaw(t('Your account will be removed and all account information deleted. All of your content will be assigned to the %anonymous-name user.', array('%anonymous-name' => $this->config('user.settings')->get('anonymous'))), 'Informs that all content will be attributed to anonymous account.'); // Confirm account cancellation. $timestamp = time(); $this->drupalPostForm(NULL, NULL, t('Cancel account')); $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.'); // Confirm account cancellation request. $this->drupalGet("user/" . $account->id() . "/cancel/confirm/{$timestamp}/" . user_pass_rehash($account, $timestamp)); $user_storage->resetCache(array($account->id())); $this->assertFalse($user_storage->load($account->id()), 'User is not found in the database.'); // Confirm that user's content has been attributed to anonymous user. $anonymous_user = User::getAnonymousUser(); $node_storage->resetCache(array($node->id())); $test_node = $node_storage->load($node->id()); $this->assertTrue($test_node->getOwnerId() == 0 && $test_node->isPublished(), 'Node of the user has been attributed to anonymous user.'); $test_node = node_revision_load($revision, TRUE); $this->assertTrue($test_node->getRevisionUser()->id() == 0 && $test_node->isPublished(), 'Node revision of the user has been attributed to anonymous user.'); $node_storage->resetCache(array($revision_node->id())); $test_node = $node_storage->load($revision_node->id()); $this->assertTrue($test_node->getOwnerId() != 0 && $test_node->isPublished(), "Current revision of the user's node was not attributed to anonymous user."); $storage = \Drupal::entityManager()->getStorage('comment'); $storage->resetCache(array($comment->id())); $test_comment = $storage->load($comment->id()); $this->assertTrue($test_comment->getOwnerId() == 0 && $test_comment->isPublished(), 'Comment of the user has been attributed to anonymous user.'); $this->assertEqual($test_comment->getAuthorName(), $anonymous_user->getDisplayName(), 'Comment of the user has been attributed to anonymous user name.'); // Confirm that the confirmation message made it through to the end user. $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), "Confirmation message displayed to user."); }
/** * {@inheritdoc} */ public function getOwner() { $user = $this->get('uid')->entity; if (!$user || $user->isAnonymous()) { $user = User::getAnonymousUser(); $user->name = $this->getAuthorName(); $user->homepage = $this->getHomepage(); } return $user; }
/** * Displays details about a specific database log message. * * @param int $event_id * Unique ID of the database log message. * * @return array * If the ID is located in the Database Logging table, a build array in the * format expected by drupal_render(); * */ public function eventDetails($event_id) { $build = array(); if ($dblog = $this->database->query('SELECT w.*, u.uid FROM {watchdog} w LEFT JOIN {users} u ON u.uid = w.uid WHERE w.wid = :id', array(':id' => $event_id))->fetchObject()) { $severity = RfcLogLevel::getLevels(); $message = $this->formatMessage($dblog); $username = array('#theme' => 'username', '#account' => $dblog->uid ? $this->userStorage->load($dblog->uid) : User::getAnonymousUser()); $rows = array(array(array('data' => $this->t('Type'), 'header' => TRUE), $this->t($dblog->type)), array(array('data' => $this->t('Date'), 'header' => TRUE), $this->dateFormatter->format($dblog->timestamp, 'long')), array(array('data' => $this->t('User'), 'header' => TRUE), array('data' => $username)), array(array('data' => $this->t('Location'), 'header' => TRUE), $this->l($dblog->location, $dblog->location ? Url::fromUri($dblog->location) : Url::fromRoute('<none>'))), array(array('data' => $this->t('Referrer'), 'header' => TRUE), $this->l($dblog->referer, $dblog->referer ? Url::fromUri($dblog->referer) : Url::fromRoute('<none>'))), array(array('data' => $this->t('Message'), 'header' => TRUE), $message), array(array('data' => $this->t('Severity'), 'header' => TRUE), $severity[$dblog->severity]), array(array('data' => $this->t('Hostname'), 'header' => TRUE), SafeMarkup::checkPlain($dblog->hostname)), array(array('data' => $this->t('Operations'), 'header' => TRUE), SafeMarkup::checkAdminXss($dblog->link))); $build['dblog_table'] = array('#type' => 'table', '#rows' => $rows, '#attributes' => array('class' => array('dblog-event')), '#attached' => array('library' => array('dblog/drupal.dblog'))); } return $build; }
/** * Checks that the "authored by" works correctly with various values. * * @param \Drupal\node\NodeInterface $node * A node object. * @param string $form_element_name * The name of the form element to populate. */ protected function checkVariousAuthoredByValues(NodeInterface $node, $form_element_name) { // Try to change the 'authored by' field to an invalid user name. $edit = array($form_element_name => 'invalid-name'); $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save and keep published')); $this->assertRaw(t('There are no entities matching "%name".', array('%name' => 'invalid-name'))); // Change the authored by field to an empty string, which should assign // authorship to the anonymous user (uid 0). $edit[$form_element_name] = ''; $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save and keep published')); $this->nodeStorage->resetCache(array($node->id())); $node = $this->nodeStorage->load($node->id()); $uid = $node->getOwnerId(); // Most SQL database drivers stringify fetches but entities are not // necessarily stored in a SQL database. At the same time, NULL/FALSE/"" // won't do. $this->assertTrue($uid === 0 || $uid === '0', 'Node authored by anonymous user.'); // Go back to the edit form and check that the correct value is displayed // in the author widget. $this->drupalGet('node/' . $node->id() . '/edit'); $anonymous_user = User::getAnonymousUser(); $expected = $anonymous_user->label() . ' (' . $anonymous_user->id() . ')'; $this->assertFieldByName($form_element_name, $expected, 'Authored by field displays the correct value for the anonymous user.'); // Change the authored by field to another user's name (that is not // logged in). $edit[$form_element_name] = $this->webUser->getUsername(); $this->drupalPostForm(NULL, $edit, t('Save and keep published')); $this->nodeStorage->resetCache(array($node->id())); $node = $this->nodeStorage->load($node->id()); $this->assertIdentical($node->getOwnerId(), $this->webUser->id(), 'Node authored by normal user.'); }
/** * Tests exploiting the temporary file removal for anonymous users using fid. */ public function testTemporaryFileRemovalExploitAnonymous() { // Set up an anonymous victim user. $victim_user = User::getAnonymousUser(); // Set up an anonymous attacker user. $attacker_user = User::getAnonymousUser(); // Set up permissions for anonymous attacker user. user_role_change_permissions(RoleInterface::ANONYMOUS_ID, array('access content' => TRUE, 'create article content' => TRUE, 'edit any article content' => TRUE)); // Log out so as to be the anonymous attacker user. $this->drupalLogout(); // Perform tests using the newly set up anonymous users. $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); }