mirrored from http://git.drupal.org/project/drupal.git
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SA-CORE-2018-001 by cashwilliams, catch, cilefen, droplet, dawehner, …
…bonus, agentrickard, David_Rothstein, Chi, Gábor Hojtsy, Heine, Wim Leers, Schnitzel, drpal, effulgentsia, tedbow, tim.plunkett, tstoeckler, xjm, will_c, stefan.r, samuel.mortenson, larowlan, greggles, logaritmisk, mpdonadio, pwolanin, plach
- Loading branch information
Nathaniel Catchpole
committed
Feb 20, 2018
1 parent
0c11ebf
commit a25f05d
Showing
12 changed files
with
376 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
core/modules/comment/tests/src/Functional/CommentAccessTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
<?php | ||
|
||
namespace Drupal\Tests\comment\Functional; | ||
|
||
use Drupal\comment\Entity\Comment; | ||
use Drupal\comment\Tests\CommentTestTrait; | ||
use Drupal\node\Entity\NodeType; | ||
use Drupal\Tests\BrowserTestBase; | ||
|
||
/** | ||
* Tests comment administration and preview access. | ||
* | ||
* @group comment | ||
*/ | ||
class CommentAccessTest extends BrowserTestBase { | ||
|
||
use CommentTestTrait; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public static $modules = [ | ||
'node', | ||
'comment', | ||
]; | ||
|
||
/** | ||
* Node for commenting. | ||
* | ||
* @var \Drupal\node\NodeInterface | ||
*/ | ||
protected $unpublishedNode; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
protected function setUp() { | ||
parent::setUp(); | ||
|
||
$node_type = NodeType::create([ | ||
'type' => 'article', | ||
'name' => 'Article', | ||
]); | ||
$node_type->save(); | ||
$node_author = $this->drupalCreateUser([ | ||
'create article content', | ||
'access comments', | ||
]); | ||
|
||
$this->drupalLogin($this->drupalCreateUser([ | ||
'edit own comments', | ||
'skip comment approval', | ||
'post comments', | ||
'access comments', | ||
'access content', | ||
])); | ||
|
||
$this->addDefaultCommentField('node', 'article'); | ||
$this->unpublishedNode = $this->createNode([ | ||
'title' => 'This is unpublished', | ||
'uid' => $node_author->id(), | ||
'status' => 0, | ||
'type' => 'article', | ||
]); | ||
$this->unpublishedNode->save(); | ||
} | ||
|
||
/** | ||
* Tests commenting disabled for access-blocked entities. | ||
*/ | ||
public function testCannotCommentOnEntitiesYouCannotView() { | ||
$assert = $this->assertSession(); | ||
|
||
$comment_url = 'comment/reply/node/' . $this->unpublishedNode->id() . '/comment'; | ||
|
||
// Commenting on an unpublished node results in access denied. | ||
$this->drupalGet($comment_url); | ||
$assert->statusCodeEquals(403); | ||
|
||
// Publishing the node grants access. | ||
$this->unpublishedNode->setPublished(TRUE)->save(); | ||
$this->drupalGet($comment_url); | ||
$assert->statusCodeEquals(200); | ||
} | ||
|
||
/** | ||
* Tests cannot view comment reply form on entities you cannot view. | ||
*/ | ||
public function testCannotViewCommentReplyFormOnEntitiesYouCannotView() { | ||
$assert = $this->assertSession(); | ||
|
||
// Create a comment on an unpublished node. | ||
$comment = Comment::create([ | ||
'entity_type' => 'node', | ||
'name' => 'Tony', | ||
'hostname' => 'magic.example.com', | ||
'mail' => 'foo@example.com', | ||
'subject' => 'Comment on unpublished node', | ||
'entity_id' => $this->unpublishedNode->id(), | ||
'comment_type' => 'comment', | ||
'field_name' => 'comment', | ||
'pid' => 0, | ||
'uid' => $this->unpublishedNode->getOwnerId(), | ||
'status' => 1, | ||
]); | ||
$comment->save(); | ||
|
||
$comment_url = 'comment/reply/node/' . $this->unpublishedNode->id() . '/comment/' . $comment->id(); | ||
|
||
// Replying to a comment on an unpublished node results in access denied. | ||
$this->drupalGet($comment_url); | ||
$assert->statusCodeEquals(403); | ||
|
||
// Publishing the node grants access. | ||
$this->unpublishedNode->setPublished(TRUE)->save(); | ||
$this->drupalGet($comment_url); | ||
$assert->statusCodeEquals(200); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
131 changes: 131 additions & 0 deletions
131
core/modules/node/tests/src/Functional/NodeAccessLanguageFallbackTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
<?php | ||
|
||
namespace Drupal\Tests\node\Functional; | ||
|
||
use Drupal\language\Entity\ConfigurableLanguage; | ||
|
||
/** | ||
* Tests that the node_access system stores the proper fallback marker. | ||
* | ||
* @group node | ||
*/ | ||
class NodeAccessLanguageFallbackTest extends NodeTestBase { | ||
|
||
/** | ||
* Enable language and a non-language-aware node access module. | ||
* | ||
* @var array | ||
*/ | ||
public static $modules = ['language', 'node_access_test', 'content_translation']; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
protected function setUp() { | ||
parent::setUp(); | ||
|
||
// After enabling a node access module, the {node_access} table has to be | ||
// rebuilt. | ||
node_access_rebuild(); | ||
|
||
// Add Hungarian, Catalan, and Afrikaans. | ||
ConfigurableLanguage::createFromLangcode('hu')->save(); | ||
ConfigurableLanguage::createFromLangcode('ca')->save(); | ||
ConfigurableLanguage::createFromLangcode('af')->save(); | ||
|
||
// Enable content translation for the current entity type. | ||
\Drupal::service('content_translation.manager')->setEnabled('node', 'page', TRUE); | ||
} | ||
|
||
/** | ||
* Tests node access fallback handling with multiple node languages. | ||
*/ | ||
public function testNodeAccessLanguageFallback() { | ||
// The node_access_test module allows nodes to be marked private. We need to | ||
// ensure that system honors the fallback system of node access properly. | ||
// Note that node_access_test_language is language-sensitive and does not | ||
// apply to the fallback test. | ||
|
||
// Create one node in Hungarian and marked as private. | ||
$node = $this->drupalCreateNode([ | ||
'body' => [[]], | ||
'langcode' => 'hu', | ||
'private' => [['value' => 1]], | ||
'status' => 1, | ||
]); | ||
|
||
// There should be one entry in node_access, with fallback set to hu. | ||
$this->checkRecords(1, 'hu'); | ||
|
||
// Create a translation user. | ||
$admin = $this->drupalCreateUser([ | ||
'bypass node access', | ||
'administer nodes', | ||
'translate any entity', | ||
'administer content translation', | ||
]); | ||
$this->drupalLogin($admin); | ||
$this->drupalGet('node/' . $node->id() . '/translations'); | ||
$this->assertSession()->statusCodeEquals(200); | ||
|
||
// Create a Catalan translation through the UI. | ||
$url_options = ['language' => \Drupal::languageManager()->getLanguage('ca')]; | ||
$this->drupalGet('node/' . $node->id() . '/translations/add/hu/ca', $url_options); | ||
$this->assertSession()->statusCodeEquals(200); | ||
// Save the form. | ||
$this->getSession()->getPage()->pressButton('Save (this translation)'); | ||
$this->assertSession()->statusCodeEquals(200); | ||
|
||
// Check the node access table. | ||
$this->checkRecords(2, 'hu'); | ||
|
||
// Programmatically create a translation. This process lets us check that | ||
// both forms and code behave in the same way. | ||
$storage = \Drupal::entityTypeManager()->getStorage('node'); | ||
// Reload the node. | ||
$node = $storage->load(1); | ||
// Create an Afrikaans translation. | ||
$translation = $node->addTranslation('af'); | ||
$translation->title->value = $this->randomString(); | ||
$translation->status = 1; | ||
$node->save(); | ||
|
||
// Check the node access table. | ||
$this->checkRecords(3, 'hu'); | ||
|
||
// For completeness, edit the Catalan version again. | ||
$this->drupalGet('node/' . $node->id() . '/edit', $url_options); | ||
$this->assertSession()->statusCodeEquals(200); | ||
// Save the form. | ||
$this->getSession()->getPage()->pressButton('Save (this translation)'); | ||
$this->assertSession()->statusCodeEquals(200); | ||
// Check the node access table. | ||
$this->checkRecords(3, 'hu'); | ||
} | ||
|
||
/** | ||
* Queries the node_access table and checks for proper storage. | ||
* | ||
* @param int $count | ||
* The number of rows expected by the query (equal to the translation | ||
* count). | ||
* @param $langcode | ||
* The expected language code set as the fallback property. | ||
*/ | ||
public function checkRecords($count, $langcode = 'hu') { | ||
$select = \Drupal::database() | ||
->select('node_access', 'na') | ||
->fields('na', ['nid', 'fallback', 'langcode', 'grant_view']) | ||
->condition('na.realm', 'node_access_test', '=') | ||
->condition('na.gid', 8888, '='); | ||
$records = $select->execute()->fetchAll(); | ||
// Check that the expected record count is returned. | ||
$this->assertEquals(count($records), $count); | ||
// The fallback value is 'hu' and should be set to 1. For other languages, | ||
// it should be set to 0. Casting to boolean lets us run that comparison. | ||
foreach ($records as $record) { | ||
$this->assertEquals((bool) $record->fallback, $record->langcode === $langcode); | ||
} | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.