field_permissions.test 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339
  1. <?php
  2. /**
  3. * @file
  4. * Tests for field_permissions.module.
  5. */
  6. /**
  7. * Tests the Field Permissions module.
  8. */
  9. class FieldPermissionsTestCase extends DrupalWebTestCase {
  10. private $admin_user = NULL;
  11. private $limited_user = NULL;
  12. private $admin_rid = NULL;
  13. private $limited_rid = NULL;
  14. public static function getInfo() {
  15. return array(
  16. 'name' => 'Field permissions functionality',
  17. 'description' => 'Test field permissions.',
  18. 'group' => 'Field permissions'
  19. );
  20. }
  21. function setUp() {
  22. parent::setUp('field_ui', 'field_permissions');
  23. // Create test user.
  24. $admin_permissions = array('access content', 'administer nodes', 'bypass node access', 'administer content types', 'administer taxonomy', 'administer permissions', 'create page content');
  25. $this->limited_user = $this->drupalCreateUser($admin_permissions);
  26. $all_rids = array_keys($this->limited_user->roles);
  27. sort($all_rids);
  28. $this->limited_rid = array_pop($all_rids);
  29. $admin_permissions[] = 'administer field permissions';
  30. $admin_permissions[] = 'administer users';
  31. $this->admin_user = $this->drupalCreateUser($admin_permissions);
  32. $all_rids = array_keys($this->admin_user->roles);
  33. sort($all_rids);
  34. $this->admin_rid = array_pop($all_rids);
  35. $this->drupalLogin($this->limited_user);
  36. }
  37. function testPermissionsUI() {
  38. // This depends on a page node type with a body field, standard install.
  39. // Could alternatively extend field_ui.test classes, but would be much
  40. // slower to run. Tradeoffs.
  41. $field_info = array(
  42. 'admin_path' => 'admin/structure/types/manage/page/fields/body',
  43. 'machine_name' => 'body',
  44. 'add_path' => 'node/add/page',
  45. 'name' => 'Body',
  46. 'form_field' => 'body[und][0][value]',
  47. 'value' => $this->randomName(),
  48. );
  49. // Check if we can see the field on the entity creation form.
  50. $this->drupalGet($field_info['add_path']);
  51. $this->assertText($field_info['name']);
  52. // Admin users cannot access field permissions without specifically being
  53. // granted the permission to do so.
  54. $this->drupalGet($field_info['admin_path']);
  55. $this->assertNoText(t('Field visibility and permissions'));
  56. // Switch to admin user who can see the field permissions UI.
  57. $this->drupalGet('user/logout');
  58. $this->drupalLogin($this->admin_user);
  59. $this->drupalGet($field_info['admin_path']);
  60. $this->assertText(t('Field visibility and permissions'));
  61. // == PUBLIC FIELD =========================================================
  62. $this->assertFieldChecked('edit-field-field-permissions-type-0');
  63. // Although simpletest could create a node for us, we are doing this directly
  64. // to ensure we have full control over the process. Given that we work with
  65. // field permissions.
  66. $this->drupalGet('user/logout');
  67. $this->drupalLogin($this->limited_user);
  68. $node1_values = array(
  69. 'title' => $this->randomName(),
  70. $field_info['form_field'] => $field_info['value'],
  71. );
  72. $this->drupalPost($field_info['add_path'], $node1_values, t('Save'));
  73. $this->assertText($node1_values['title']);
  74. $this->assertText($field_info['value']);
  75. $url = $this->getUrl();
  76. $nid1 = preg_replace('!^.*node/(\d+)$!', '\1', $url);
  77. // Switch to admin user to check we can see the body.
  78. $this->drupalGet('user/logout');
  79. $this->drupalLogin($this->admin_user);
  80. $this->drupalGet('node/' . $nid1);
  81. $this->assertText($node1_values['title']);
  82. $this->assertText($field_info['value']);
  83. // And we can edit the title and body.
  84. $this->drupalGet('node/' . $nid1 . '/edit');
  85. $this->assertText('Title');
  86. $this->assertText($node1_values['title']);
  87. $this->assertText($field_info['name']);
  88. $this->assertText($field_info['value']);
  89. // == PRIVATE FIELD ========================================================
  90. // Switch to admin user to set field to private.
  91. $edit = array(
  92. 'field[field_permissions][type]' => 1,
  93. );
  94. $this->drupalPost($field_info['admin_path'], $edit, t('Save settings'));
  95. // Now we should not have access to see or edit this field.
  96. $this->drupalGet('node/' . $nid1);
  97. $this->assertText($node1_values['title']);
  98. $this->assertNoText($field_info['value']);
  99. $this->drupalGet($field_info['add_path']);
  100. $this->assertText('Title');
  101. $this->assertText($field_info['name']);
  102. $this->drupalGet('node/' . $nid1 . '/edit');
  103. $this->assertText('Title');
  104. $this->assertNoText($field_info['name']);
  105. $this->assertNoText($field_info['value']);
  106. // Grant this user the Drupal core administrator role. This will give them
  107. // the 'access private fields' permission (tested here), and it also means
  108. // that when custom field permissions are created later on in this test,
  109. // the admin user will automatically get those permissions granted also.
  110. $user_admin_rid = variable_get('user_admin_role', 0);
  111. $edit = array(
  112. "roles[$user_admin_rid]" => TRUE,
  113. );
  114. $this->drupalPost('user/' . $this->admin_user->uid . '/edit', $edit, t('Save'));
  115. // Now we should have access to see or submit or edit this field again.
  116. $this->drupalGet('node/' . $nid1);
  117. $this->assertText($node1_values['title']);
  118. $this->assertText($field_info['value']);
  119. $this->drupalGet($field_info['add_path']);
  120. $this->assertText('Title');
  121. $this->assertText($field_info['name']);
  122. $this->drupalGet('node/' . $nid1 . '/edit');
  123. $this->assertText('Title');
  124. $this->assertText($field_info['name']);
  125. $this->assertText($field_info['value']);
  126. // == CUSTOM PERMISSIONS ===================================================
  127. // Introduce body creation permission.
  128. $edit = array(
  129. 'field[field_permissions][type]' => 2,
  130. );
  131. $this->drupalPost($field_info['admin_path'], $edit, t('Save settings'));
  132. $this->drupalGet($field_info['admin_path']);
  133. $this->assertRaw(t('Create own value for field %field', array('%field' => $field_info['name'])));
  134. $this->assertRaw(t('Edit own value for field %field', array('%field' => $field_info['name'])));
  135. $this->assertRaw(t("Edit anyone's value for field %field", array('%field' => $field_info['name'])));
  136. $this->assertRaw(t('View own value for field %field', array('%field' => $field_info['name'])));
  137. $this->assertRaw(t("View anyone's value for field %field", array('%field' => $field_info['name'])));
  138. // See if we have that exposed on the permissions UI as well now.
  139. $this->drupalGet('admin/people/permissions');
  140. $this->assertText(t('Field Permissions'));
  141. $this->assertRaw(t('Create own value for field %field', array('%field' => $field_info['name'])));
  142. $this->assertRaw(t('Edit own value for field %field', array('%field' => $field_info['name'])));
  143. $this->assertRaw(t("Edit anyone's value for field %field", array('%field' => $field_info['name'])));
  144. $this->assertRaw(t('View own value for field %field', array('%field' => $field_info['name'])));
  145. $this->assertRaw(t("View anyone's value for field %field", array('%field' => $field_info['name'])));
  146. // == CREATE ===============================================================
  147. // The admin user should have been automatically granted the create
  148. // permission, but the limited user shouldn't have it yet.
  149. $this->assertUserHasPermission($this->admin_user, 'create ' . $field_info['machine_name'], t('Admin user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
  150. $this->assertUserDoesNotHavePermission($this->limited_user, 'create ' . $field_info['machine_name'], t('Limited user does not have "create @field" permission.', array('@field' => $field_info['machine_name'])));
  151. // Should not see the field on the entity creation form anymore for limited_user.
  152. $this->drupalGet('user/logout');
  153. $this->drupalLogin($this->limited_user);
  154. $this->drupalGet($field_info['add_path']);
  155. $this->assertNoText($field_info['name']);
  156. // Grant body creation permission to limited users too.
  157. $edit = array(
  158. $this->limited_rid .'[create '. $field_info['machine_name'] .']' => TRUE,
  159. );
  160. $this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
  161. $this->assertUserHasPermission($this->admin_user, 'create ' . $field_info['machine_name'], t('Admin user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
  162. $this->assertUserHasPermission($this->limited_user, 'create ' . $field_info['machine_name'], t('Limited user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
  163. // Should see the field again on the entity creation form.
  164. $this->drupalGet($field_info['add_path']);
  165. $this->assertText($field_info['name']);
  166. // Although simpletest could create a node for us, we are doing this directly
  167. // to ensure we have full control over the process. Given that we work with
  168. // field permissions.
  169. $node2_values = array(
  170. 'title' => $this->randomName(),
  171. $field_info['form_field'] => $field_info['value'],
  172. );
  173. $this->drupalPost($field_info['add_path'], $node2_values, t('Save'));
  174. $this->assertText($node2_values['title']);
  175. // The body will not yet be visible to this user.
  176. $this->assertNoText($field_info['value']);
  177. $url = $this->getUrl();
  178. $nid2 = preg_replace('!^.*node/(\d+)$!', '\1', $url);
  179. // Switch to admin user and prove she has access to body.
  180. $this->drupalGet('user/logout');
  181. $this->drupalLogin($this->admin_user);
  182. $this->drupalGet('node/' . $nid2);
  183. $this->assertText($node2_values['title']);
  184. $this->assertText($field_info['value']);
  185. // == VIEW =================================================================
  186. // Grant body view permission to limited users too.
  187. $edit = array(
  188. $this->limited_rid .'[view '. $field_info['machine_name'] .']' => TRUE,
  189. );
  190. $this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
  191. $this->assertUserHasPermission($this->admin_user, 'view ' . $field_info['machine_name'], t('Admin user does have "view @field" permission.', array('@field' => $field_info['machine_name'])));
  192. $this->assertUserHasPermission($this->limited_user, 'view ' . $field_info['machine_name'], t('Limited user does have "view @field" permission.', array('@field' => $field_info['machine_name'])));
  193. // Limited user can now see the field.
  194. $this->drupalGet('user/logout');
  195. $this->drupalLogin($this->limited_user);
  196. $this->drupalGet('node/' . $nid2);
  197. $this->assertText($node2_values['title']);
  198. $this->assertText($field_info['value']);
  199. // == EDIT =================================================================
  200. // We still don't have access to edit our field.
  201. $this->drupalGet('node/' . $nid2 . '/edit');
  202. $this->assertNoText($field_info['value']);
  203. // Switch to admin user to configure edit permissions.
  204. $this->drupalGet('user/logout');
  205. $this->drupalLogin($this->admin_user);
  206. // Ensure the editing screen now has the body.
  207. $this->drupalGet('node/' . $nid2 . '/edit');
  208. $this->assertText($field_info['value']);
  209. // Grant body editing permission for the limited role.
  210. $edit = array(
  211. $this->limited_rid .'[edit '. $field_info['machine_name'] .']' => TRUE,
  212. );
  213. $this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
  214. $this->assertUserHasPermission($this->admin_user, 'edit ' . $field_info['machine_name'], t('Admin user does have "edit @field" permission.', array('@field' => $field_info['machine_name'])));
  215. $this->assertUserHasPermission($this->limited_user, 'edit ' . $field_info['machine_name'], t('Limited user does have "edit @field" permission.', array('@field' => $field_info['machine_name'])));
  216. // Ensure the editing screen still has the body.
  217. $this->drupalGet('node/' . $nid2 . '/edit');
  218. $this->assertText($field_info['value']);
  219. // Switch to limited user to check that we can edit body now.
  220. $this->drupalGet('user/logout');
  221. $this->drupalLogin($this->limited_user);
  222. $this->drupalGet('node/' . $nid2 . '/edit');
  223. $this->assertText($field_info['value']);
  224. }
  225. function testUserFields() {
  226. // Create a field attached to users and make it appear on the user
  227. // registration form with (default) custom permissions.
  228. $this->drupalLogin($this->admin_user);
  229. $label = 'Field attached to users';
  230. $edit = array(
  231. 'fields[_add_new_field][label]' => $label,
  232. 'fields[_add_new_field][field_name]' => 'attached_to_users',
  233. 'fields[_add_new_field][type]' => 'text',
  234. 'fields[_add_new_field][widget_type]' => 'text_textfield',
  235. );
  236. $this->drupalPost('admin/config/people/accounts/fields', $edit, t('Save'));
  237. $this->drupalPost(NULL, array(), t('Save field settings'));
  238. $edit = array(
  239. 'field[field_permissions][type]' => 2,
  240. 'instance[settings][user_register_form]' => TRUE,
  241. );
  242. $this->drupalPost(NULL, $edit, t('Save settings'));
  243. // Log out, go to the registration form and make sure the field appears
  244. // there for anonymous users.
  245. $this->drupalLogout();
  246. $this->drupalGet('user/register');
  247. $this->assertText($label);
  248. // Log in and make sure the user does not have access to edit the field
  249. // (i.e., there are only default permissions to create it).
  250. $this->drupalLogin($this->limited_user);
  251. $this->drupalGet('user/' . $this->limited_user->uid . '/edit');
  252. $this->assertResponse(200);
  253. $this->assertNoText($label);
  254. }
  255. /**
  256. * Asserts that a user account has a permission.
  257. */
  258. protected function assertUserHasPermission($account, $permission, $message) {
  259. $this->_assertUserPermissionState($account, $permission, $message, TRUE);
  260. }
  261. /**
  262. * Asserts that a user account does not have a permission.
  263. */
  264. protected function assertUserDoesNotHavePermission($account, $permission, $message) {
  265. $this->_assertUserPermissionState($account, $permission, $message, FALSE);
  266. }
  267. /**
  268. * Helper function for asserting user permissions.
  269. */
  270. protected function _assertUserPermissionState($account, $permission, $message, $should_have_permission) {
  271. // We need to clear static caches since the tests may have recently changed
  272. // the permissions via the UI (i.e., in a different thread than the one
  273. // running the tests).
  274. drupal_static_reset('user_access');
  275. drupal_static_reset('user_role_permissions');
  276. // Load the full user account, since we may have been provided an out of
  277. // date pseudo-account of the kind SimpleTest uses (e.g. as returned by
  278. // drupalCreateUser()), rather than an up to date object that actually
  279. // contains the full list of roles this user has been assigned.
  280. $full_account = user_load($account->uid);
  281. // Now check the permission.
  282. $has_permission = user_access($permission, $full_account);
  283. if ($should_have_permission) {
  284. $this->assertTrue($has_permission, $message);
  285. }
  286. else {
  287. $this->assertFalse($has_permission, $message);
  288. }
  289. }
  290. }