/**
* Tests the formatter output.
*/
public function testFormatter()
{
$user = User::create(['name' => 'test name']);
$user->save();
$result = $user->{$this->fieldName}->view(['type' => 'user_name']);
$this->assertEqual('username', $result[0]['#theme']);
$this->assertEqual(spl_object_hash($user), spl_object_hash($result[0]['#account']));
$result = $user->{$this->fieldName}->view(['type' => 'user_name', 'settings' => ['link_to_entity' => FALSE]]);
$this->assertEqual($user->getDisplayName(), $result[0]['#markup']);
$user = User::getAnonymousUser();
$result = $user->{$this->fieldName}->view(['type' => 'user_name']);
$this->assertEqual('username', $result[0]['#theme']);
$this->assertEqual(spl_object_hash($user), spl_object_hash($result[0]['#account']));
$result = $user->{$this->fieldName}->view(['type' => 'user_name', 'settings' => ['link_to_entity' => FALSE]]);
$this->assertEqual($user->getDisplayName(), $result[0]['#markup']);
$this->assertEqual($this->config('user.settings')->get('anonymous'), $result[0]['#markup']);
}
/**
* Ensures user labels are accessible for everyone.
*/
public function testUserLabelAccess()
{
// Set up a non-admin user.
\Drupal::currentUser()->setAccount($this->createUser(['uid' => 2]));
$anonymous_user = User::getAnonymousUser();
$user = $this->createUser();
// The current user is allowed to view the anonymous user label.
$this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $anonymous_user);
// The current user is allowed to view user labels.
$this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $user);
// Switch to a anonymous user account.
$account_switcher = \Drupal::service('account_switcher');
$account_switcher->switchTo(new AnonymousUserSession());
// The anonymous user is allowed to view the anonymous user label.
$this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $anonymous_user);
// The anonymous user is allowed to view user labels.
$this->assertEntityAccess(array('create' => FALSE, 'update' => FALSE, 'delete' => FALSE, 'view' => FALSE, 'view label' => TRUE), $user);
// Restore user account.
$account_switcher->switchBack();
}
/**
* {@inheritdoc}
*/
public function getOwner()
{
$user = $this->get('uid')->entity;
if (!$user || $user->isAnonymous()) {
$user = \Drupal\user\Entity\User::getAnonymousUser();
$user->name = \Drupal::config('user.settings')->get('anonymous');
}
return $user;
}
/**
* Delete account and anonymize all content.
*/
function testUserAnonymize()
{
$node_storage = $this->container->get('entity.manager')->getStorage('node');
$this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
// Create comment field on page.
$this->addDefaultCommentField('node', 'page');
$user_storage = $this->container->get('entity.manager')->getStorage('user');
// Create a user.
$account = $this->drupalCreateUser(array('cancel account'));
$this->drupalLogin($account);
// Load a real user object.
$user_storage->resetCache(array($account->id()));
$account = $user_storage->load($account->id());
// Create a simple node.
$node = $this->drupalCreateNode(array('uid' => $account->id()));
// Add a comment to the page.
$comment_subject = $this->randomMachineName(8);
$comment_body = $this->randomMachineName(8);
$comment = Comment::create(array('subject' => $comment_subject, 'comment_body' => $comment_body, 'entity_id' => $node->id(), 'entity_type' => 'node', 'field_name' => 'comment', 'status' => CommentInterface::PUBLISHED, 'uid' => $account->id()));
$comment->save();
// Create a node with two revisions, the initial one belonging to the
// cancelling user.
$revision_node = $this->drupalCreateNode(array('uid' => $account->id()));
$revision = $revision_node->getRevisionId();
$settings = get_object_vars($revision_node);
$settings['revision'] = 1;
$settings['uid'] = 1;
// Set new/current revision to someone else.
$revision_node = $this->drupalCreateNode($settings);
// Attempt to cancel account.
$this->drupalGet('user/' . $account->id() . '/edit');
$this->drupalPostForm(NULL, NULL, t('Cancel account'));
$this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
$this->assertRaw(t('Your account will be removed and all account information deleted. All of your content will be assigned to the %anonymous-name user.', array('%anonymous-name' => $this->config('user.settings')->get('anonymous'))), 'Informs that all content will be attributed to anonymous account.');
// Confirm account cancellation.
$timestamp = time();
$this->drupalPostForm(NULL, NULL, t('Cancel account'));
$this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
// Confirm account cancellation request.
$this->drupalGet("user/" . $account->id() . "/cancel/confirm/{$timestamp}/" . user_pass_rehash($account, $timestamp));
$user_storage->resetCache(array($account->id()));
$this->assertFalse($user_storage->load($account->id()), 'User is not found in the database.');
// Confirm that user's content has been attributed to anonymous user.
$anonymous_user = User::getAnonymousUser();
$node_storage->resetCache(array($node->id()));
$test_node = $node_storage->load($node->id());
$this->assertTrue($test_node->getOwnerId() == 0 && $test_node->isPublished(), 'Node of the user has been attributed to anonymous user.');
$test_node = node_revision_load($revision, TRUE);
$this->assertTrue($test_node->getRevisionUser()->id() == 0 && $test_node->isPublished(), 'Node revision of the user has been attributed to anonymous user.');
$node_storage->resetCache(array($revision_node->id()));
$test_node = $node_storage->load($revision_node->id());
$this->assertTrue($test_node->getOwnerId() != 0 && $test_node->isPublished(), "Current revision of the user's node was not attributed to anonymous user.");
$storage = \Drupal::entityManager()->getStorage('comment');
$storage->resetCache(array($comment->id()));
$test_comment = $storage->load($comment->id());
$this->assertTrue($test_comment->getOwnerId() == 0 && $test_comment->isPublished(), 'Comment of the user has been attributed to anonymous user.');
$this->assertEqual($test_comment->getAuthorName(), $anonymous_user->getDisplayName(), 'Comment of the user has been attributed to anonymous user name.');
// Confirm that the confirmation message made it through to the end user.
$this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
}
/**
* {@inheritdoc}
*/
public function getOwner()
{
$user = $this->get('uid')->entity;
if (!$user || $user->isAnonymous()) {
$user = User::getAnonymousUser();
$user->name = $this->getAuthorName();
$user->homepage = $this->getHomepage();
}
return $user;
}
/**
* Displays details about a specific database log message.
*
* @param int $event_id
* Unique ID of the database log message.
*
* @return array
* If the ID is located in the Database Logging table, a build array in the
* format expected by drupal_render();
*
*/
public function eventDetails($event_id)
{
$build = array();
if ($dblog = $this->database->query('SELECT w.*, u.uid FROM {watchdog} w LEFT JOIN {users} u ON u.uid = w.uid WHERE w.wid = :id', array(':id' => $event_id))->fetchObject()) {
$severity = RfcLogLevel::getLevels();
$message = $this->formatMessage($dblog);
$username = array('#theme' => 'username', '#account' => $dblog->uid ? $this->userStorage->load($dblog->uid) : User::getAnonymousUser());
$rows = array(array(array('data' => $this->t('Type'), 'header' => TRUE), $this->t($dblog->type)), array(array('data' => $this->t('Date'), 'header' => TRUE), $this->dateFormatter->format($dblog->timestamp, 'long')), array(array('data' => $this->t('User'), 'header' => TRUE), array('data' => $username)), array(array('data' => $this->t('Location'), 'header' => TRUE), $this->l($dblog->location, $dblog->location ? Url::fromUri($dblog->location) : Url::fromRoute('<none>'))), array(array('data' => $this->t('Referrer'), 'header' => TRUE), $this->l($dblog->referer, $dblog->referer ? Url::fromUri($dblog->referer) : Url::fromRoute('<none>'))), array(array('data' => $this->t('Message'), 'header' => TRUE), $message), array(array('data' => $this->t('Severity'), 'header' => TRUE), $severity[$dblog->severity]), array(array('data' => $this->t('Hostname'), 'header' => TRUE), SafeMarkup::checkPlain($dblog->hostname)), array(array('data' => $this->t('Operations'), 'header' => TRUE), SafeMarkup::checkAdminXss($dblog->link)));
$build['dblog_table'] = array('#type' => 'table', '#rows' => $rows, '#attributes' => array('class' => array('dblog-event')), '#attached' => array('library' => array('dblog/drupal.dblog')));
}
return $build;
}
/**
* Checks that the "authored by" works correctly with various values.
*
* @param \Drupal\node\NodeInterface $node
* A node object.
* @param string $form_element_name
* The name of the form element to populate.
*/
protected function checkVariousAuthoredByValues(NodeInterface $node, $form_element_name)
{
// Try to change the 'authored by' field to an invalid user name.
$edit = array($form_element_name => 'invalid-name');
$this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save and keep published'));
$this->assertRaw(t('There are no entities matching "%name".', array('%name' => 'invalid-name')));
// Change the authored by field to an empty string, which should assign
// authorship to the anonymous user (uid 0).
$edit[$form_element_name] = '';
$this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save and keep published'));
$this->nodeStorage->resetCache(array($node->id()));
$node = $this->nodeStorage->load($node->id());
$uid = $node->getOwnerId();
// Most SQL database drivers stringify fetches but entities are not
// necessarily stored in a SQL database. At the same time, NULL/FALSE/""
// won't do.
$this->assertTrue($uid === 0 || $uid === '0', 'Node authored by anonymous user.');
// Go back to the edit form and check that the correct value is displayed
// in the author widget.
$this->drupalGet('node/' . $node->id() . '/edit');
$anonymous_user = User::getAnonymousUser();
$expected = $anonymous_user->label() . ' (' . $anonymous_user->id() . ')';
$this->assertFieldByName($form_element_name, $expected, 'Authored by field displays the correct value for the anonymous user.');
// Change the authored by field to another user's name (that is not
// logged in).
$edit[$form_element_name] = $this->webUser->getUsername();
$this->drupalPostForm(NULL, $edit, t('Save and keep published'));
$this->nodeStorage->resetCache(array($node->id()));
$node = $this->nodeStorage->load($node->id());
$this->assertIdentical($node->getOwnerId(), $this->webUser->id(), 'Node authored by normal user.');
}
/**
* Tests exploiting the temporary file removal for anonymous users using fid.
*/
public function testTemporaryFileRemovalExploitAnonymous()
{
// Set up an anonymous victim user.
$victim_user = User::getAnonymousUser();
// Set up an anonymous attacker user.
$attacker_user = User::getAnonymousUser();
// Set up permissions for anonymous attacker user.
user_role_change_permissions(RoleInterface::ANONYMOUS_ID, array('access content' => TRUE, 'create article content' => TRUE, 'edit any article content' => TRUE));
// Log out so as to be the anonymous attacker user.
$this->drupalLogout();
// Perform tests using the newly set up anonymous users.
$this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
}
