123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 |
- <?php
- namespace Drupal\Tests\node\Functional;
- /**
- * Tests that node access queries are properly altered by the node module.
- *
- * @group node
- */
- class NodeQueryAlterTest extends NodeTestBase {
- /**
- * Modules to enable.
- *
- * @var array
- */
- public static $modules = ['node_access_test'];
- /**
- * User with permission to view content.
- */
- protected $accessUser;
- /**
- * User without permission to view content.
- */
- protected $noAccessUser;
- protected function setUp() {
- parent::setUp();
- node_access_rebuild();
- // Create some content.
- $this->drupalCreateNode();
- $this->drupalCreateNode();
- $this->drupalCreateNode();
- $this->drupalCreateNode();
- // Create user with simple node access permission. The 'node test view'
- // permission is implemented and granted by the node_access_test module.
- $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']);
- $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']);
- $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']);
- }
- /**
- * Tests 'node_access' query alter, for user with access.
- *
- * Verifies that a non-standard table alias can be used, and that a user with
- * node access can view the nodes.
- */
- public function testNodeQueryAlterLowLevelWithAccess() {
- // User with access should be able to view 4 nodes.
- try {
- $query = db_select('node', 'mytab')
- ->fields('mytab');
- $query->addTag('node_access');
- $query->addMetaData('op', 'view');
- $query->addMetaData('account', $this->accessUser);
- $result = $query->execute()->fetchAll();
- $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
- }
- catch (\Exception $e) {
- $this->fail(t('Altered query is malformed'));
- }
- }
- /**
- * Tests 'node_access' query alter with revision-enabled nodes.
- */
- public function testNodeQueryAlterWithRevisions() {
- // Execute a query that only deals with the 'node_revision' table.
- try {
- $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery();
- $result = $query
- ->allRevisions()
- ->execute();
- $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
- }
- catch (\Exception $e) {
- $this->fail('Altered query is malformed');
- }
- }
- /**
- * Tests 'node_access' query alter, for user without access.
- *
- * Verifies that a non-standard table alias can be used, and that a user
- * without node access cannot view the nodes.
- */
- public function testNodeQueryAlterLowLevelNoAccess() {
- // User without access should be able to view 0 nodes.
- try {
- $query = db_select('node', 'mytab')
- ->fields('mytab');
- $query->addTag('node_access');
- $query->addMetaData('op', 'view');
- $query->addMetaData('account', $this->noAccessUser);
- $result = $query->execute()->fetchAll();
- $this->assertEqual(count($result), 0, 'User with no access cannot see nodes');
- }
- catch (\Exception $e) {
- $this->fail(t('Altered query is malformed'));
- }
- }
- /**
- * Tests 'node_access' query alter, for edit access.
- *
- * Verifies that a non-standard table alias can be used, and that a user with
- * view-only node access cannot edit the nodes.
- */
- public function testNodeQueryAlterLowLevelEditAccess() {
- // User with view-only access should not be able to edit nodes.
- try {
- $query = db_select('node', 'mytab')
- ->fields('mytab');
- $query->addTag('node_access');
- $query->addMetaData('op', 'update');
- $query->addMetaData('account', $this->accessUser);
- $result = $query->execute()->fetchAll();
- $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes');
- }
- catch (\Exception $e) {
- $this->fail($e->getMessage());
- $this->fail((string) $query);
- $this->fail(t('Altered query is malformed'));
- }
- }
- /**
- * Tests 'node_access' query alter override.
- *
- * Verifies that node_access_view_all_nodes() is called from
- * node_query_node_access_alter(). We do this by checking that a user who
- * normally would not have view privileges is able to view the nodes when we
- * add a record to {node_access} paired with a corresponding privilege in
- * hook_node_grants().
- */
- public function testNodeQueryAlterOverride() {
- $record = [
- 'nid' => 0,
- 'gid' => 0,
- 'realm' => 'node_access_all',
- 'grant_view' => 1,
- 'grant_update' => 0,
- 'grant_delete' => 0,
- ];
- db_insert('node_access')->fields($record)->execute();
- // Test that the noAccessUser still doesn't have the 'view'
- // privilege after adding the node_access record.
- drupal_static_reset('node_access_view_all_nodes');
- try {
- $query = db_select('node', 'mytab')
- ->fields('mytab');
- $query->addTag('node_access');
- $query->addMetaData('op', 'view');
- $query->addMetaData('account', $this->noAccessUser);
- $result = $query->execute()->fetchAll();
- $this->assertEqual(count($result), 0, 'User view privileges are not overridden');
- }
- catch (\Exception $e) {
- $this->fail(t('Altered query is malformed'));
- }
- // Have node_test_node_grants return a node_access_all privilege,
- // to grant the noAccessUser 'view' access. To verify that
- // node_access_view_all_nodes is properly checking the specified
- // $account instead of the current user, we will log in as
- // noAccessUser2.
- $this->drupalLogin($this->noAccessUser2);
- \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id());
- drupal_static_reset('node_access_view_all_nodes');
- try {
- $query = db_select('node', 'mytab')
- ->fields('mytab');
- $query->addTag('node_access');
- $query->addMetaData('op', 'view');
- $query->addMetaData('account', $this->noAccessUser);
- $result = $query->execute()->fetchAll();
- $this->assertEqual(count($result), 4, 'User view privileges are overridden');
- }
- catch (\Exception $e) {
- $this->fail(t('Altered query is malformed'));
- }
- \Drupal::state()->delete('node_access_test.no_access_uid');
- }
- }
|