-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
More intellegent access control (#470)
* Start on #464: enabling and disabling modules and access to their content types. Requires localgovdrupal/localgov_geo#118 Notes: - Should switch to use the user and group roles we define in the submodules. - Why does Log Out not work? It does outside of tests. - Adding tests for global (non-group path) creation of content when it's included in the access per domain. * Add logging out to trait. Sometimes the repeated / from domain and path matter. Sometimes they don't. Here they do. * Switch to use group_sites access providers to supply permissions. In addition to disabling modules per domain. Remove permissions to create (group) content on the control domain. * Test broke in 10.3 because of new logout route option for CSRF. New route option for redirecting when access is denied to a CSRF protected route https://www.drupal.org/node/3152693 Not sure what it was doing in 10.2 now to work. But this shouldn't break that as it checks for the form first. * Remove unnecessary (wrong type) translation. * Who knows maybe this works with 10.2 otherwise it's 10.3 only. * Move shared relationship into optional. Already exists in optional in localgov_microsites_group_term_ui and localgov_microsites_blogs. Depending on install order one of these can be already existing in configuration when the news config is installed. * Fuller check of permissions paths. * Add "all" (not quite see comment) admin paths checks. * See if we can test on github against 10.3 * Test now covers all access by content type options. * Upgrade configuration for existing sites. * Add "all" (not quite see comment) admin paths checks. * See if we can test on github against 10.3 * Test now covers all access by content type options. * Add blogs tests (and remove permissions not available from module). * Add blogs tests (and remove permissions not available from module). * Switch branch used for installing microsites to one that installs 10.3 * It's a composer require string? * Oops, pay attention to the branch names. * Script is adding -dev, but it didn't seem to work before. Maybe just wrong string? * Fixing Github Actions * Coding standards fixes * Fix some coding standards. * Rework attempt for rendering and listing of themes to remove deprecated methods. * Move to using constructor property promotion, advised by ru and ekes. * Refactor to use dependency injection. * Fix naming of variables / properties. * Fix missing argument for localgov_microsites_group.microsite_content_types_access_policy service. * Add missing extension.list.theme to create method. * Fix typos in call to moduleHandler. --------- Co-authored-by: Stephen Cox <stephen@agile.coop> Co-authored-by: Finn <finn@finnlewis.com> Co-authored-by: Finn Lewis <finn@opencode.uk>
- Loading branch information
1 parent
096dfd0
commit a0c800b
Showing
15 changed files
with
966 additions
and
156 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
147 changes: 147 additions & 0 deletions
147
modules/localgov_microsites_blogs/tests/src/Functional/MicrositeBlogsContentTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
<?php | ||
|
||
namespace Drupal\Tests\localgov_microsites_blogs\Functional; | ||
|
||
use Drupal\group\Entity\GroupInterface; | ||
use Drupal\localgov_microsites_group\DomainFromGroupTrait; | ||
use Drupal\node\NodeInterface; | ||
use Drupal\Tests\BrowserTestBase; | ||
use Drupal\Tests\localgov_microsites_group\Traits\GroupCreationTrait; | ||
use Drupal\Tests\localgov_microsites_group\Traits\InitializeGroupsTrait; | ||
use Drupal\Tests\node\Traits\NodeCreationTrait; | ||
|
||
/** | ||
* Tests channel content in a group. | ||
* | ||
* @group localgov_microsites_group | ||
*/ | ||
class MicrositeBlogsContentTest extends BrowserTestBase { | ||
|
||
use InitializeGroupsTrait; | ||
use NodeCreationTrait; | ||
use GroupCreationTrait, DomainFromGroupTrait { | ||
GroupCreationTrait::getEntityTypeManager insteadof DomainFromGroupTrait; | ||
} | ||
|
||
/** | ||
* Will be removed when issue #3204455 on Domain Site Settings gets merged. | ||
* | ||
* See https://www.drupal.org/project/domain_site_settings/issues/3204455. | ||
* | ||
* @var bool | ||
* | ||
* @see \Drupal\Core\Config\Development\ConfigSchemaChecker | ||
* phpcs:disable DrupalPractice.Objects.StrictSchemaDisabled.StrictConfigSchema | ||
*/ | ||
protected $strictConfigSchema = FALSE; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
protected $profile = 'testing'; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
protected $defaultTheme = 'stark'; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
protected static $modules = [ | ||
'localgov_microsites_blogs', | ||
]; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
protected function setUp(): void { | ||
parent::setUp(); | ||
|
||
$this->createMicrositeGroups([], 2); | ||
$this->createMicrositeGroupsDomains($this->groups); | ||
$this->domain1 = $this->getDomainFromGroup($this->groups[1]); | ||
$this->domain2 = $this->getDomainFromGroup($this->groups[2]); | ||
|
||
// Create some channel content. | ||
$this->blog_channel1 = $this->createBlogChannel($this->groups[1]); | ||
$this->post1 = $this->createBlogPosts($this->blog_channel1, $this->groups[1], 2); | ||
$this->blog_channel2 = $this->createBlogChannel($this->groups[2]); | ||
$this->post2 = $this->createBlogPosts($this->blog_channel2, $this->groups[2], 2); | ||
} | ||
|
||
/** | ||
* Test content appears on the correct site. | ||
*/ | ||
public function testMicrositeblogContent() { | ||
|
||
// Check content appears on the correct sites. | ||
$this->drupalGet($this->domain1->getUrl() . $this->blog_channel1->toUrl()->toString()); | ||
$this->assertSession()->pageTextContains($this->post1[0]->label()); | ||
$this->assertSession()->pageTextContains($this->post1[1]->label()); | ||
$this->assertSession()->pageTextNotContains($this->post2[0]->label()); | ||
$this->assertSession()->pageTextNotContains($this->post2[1]->label()); | ||
|
||
$this->drupalGet($this->domain2->getUrl() . $this->blog_channel2->toUrl()->toString()); | ||
$this->assertSession()->pageTextContains($this->post2[0]->label()); | ||
$this->assertSession()->pageTextContains($this->post2[1]->label()); | ||
$this->assertSession()->pageTextNotContains($this->post1[0]->label()); | ||
$this->assertSession()->pageTextNotContains($this->post1[1]->label()); | ||
} | ||
|
||
/** | ||
* Create blog channel in group. | ||
* | ||
* @param \Drupal\group\Entity\GroupInterface $group | ||
* Group to create blog_channel in. | ||
* | ||
* @return \Drupal\node\NodeInterface | ||
* The blog_channel. | ||
*/ | ||
protected function createBlogChannel(GroupInterface $group) { | ||
|
||
$channel = $this->createNode([ | ||
'type' => 'localgov_blog_channel', | ||
'title' => $this->randomMachineName(12), | ||
'status' => NodeInterface::PUBLISHED, | ||
]); | ||
$channel->save(); | ||
$group->addRelationship($channel, 'group_node:localgov_blog_channel'); | ||
|
||
return $channel; | ||
} | ||
|
||
/** | ||
* Create count blog posts in blog channel and group. | ||
* | ||
* @param \Drupal\node\NodeInterface $channel | ||
* Blog channel to create posts in. | ||
* @param \Drupal\group\Entity\GroupInterface $group | ||
* Group to create post in. | ||
* @param int $count | ||
* Number of blog post to create. | ||
* | ||
* @return \Drupal\node\NodeInterface[] | ||
* Array of blog posts. | ||
*/ | ||
protected function createBlogPosts(NodeInterface $channel, GroupInterface $group, int $count) { | ||
$posts = []; | ||
|
||
for ($i = 0; $i < $count; $i++) { | ||
$post = $this->createNode([ | ||
'type' => 'localgov_blog_post', | ||
'title' => $this->randomMachineName(12), | ||
'localgov_blog_channel' => [ | ||
'target_id' => $channel->id(), | ||
], | ||
'status' => NodeInterface::PUBLISHED, | ||
]); | ||
$post->save(); | ||
$group->addRelationship($post, 'group_node:localgov_blog_post'); | ||
$posts[] = $post; | ||
} | ||
|
||
return $posts; | ||
} | ||
|
||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
<?php | ||
|
||
namespace Drupal\localgov_microsites_group\Access; | ||
|
||
use Drupal\Core\Session\AccountInterface; | ||
use Drupal\Core\StringTranslation\StringTranslationTrait; | ||
use Drupal\flexible_permissions\CalculatedPermissionsItem; | ||
use Drupal\flexible_permissions\RefinableCalculatedPermissionsInterface; | ||
use Drupal\group\PermissionScopeInterface; | ||
use Drupal\group_sites\Access\GroupSitesNoSiteAccessPolicyInterface; | ||
|
||
/** | ||
* Access policy for control site. | ||
*/ | ||
class ControlSiteAccessPolicy implements GroupSitesNoSiteAccessPolicyInterface { | ||
|
||
use StringTranslationTrait; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function getLabel(): string { | ||
return $this->t('Localgov Microsites Control Site'); | ||
} | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function getDescription(): string { | ||
return $this->t('Prevent most content: nodes, media, etc being created on the control site.'); | ||
} | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function alterPermissions(AccountInterface $account, string $scope, RefinableCalculatedPermissionsInterface $calculated_permissions) { | ||
// User will probably have permissions for groups. | ||
// Eg. as Outsider with Controller role. | ||
// We might even want to switch off admin and replace with specific | ||
// permissions to prevent doing group content on control. | ||
if ($scope === PermissionScopeInterface::INDIVIDUAL_ID) { | ||
$items = $calculated_permissions->getItemsByScope($scope); | ||
foreach ($items as $item) { | ||
$permissions = $item->getPermissions(); | ||
// Permissions to maintain on the control site. | ||
// @todo add control site specific permissions. | ||
$keep = [ | ||
'administer group domain site settings', | ||
'administer members', | ||
'edit group', | ||
'invite users to group', | ||
'manage microsite enabled module permissions', | ||
'set localgov microsite theme override', | ||
'view any unpublished group', | ||
'view group', | ||
'view group invitations', | ||
'view latest group version', | ||
'view own unpublished group', | ||
]; | ||
$permissions = array_intersect($permissions, $keep); | ||
|
||
$control_site_item = new CalculatedPermissionsItem( | ||
$scope, | ||
$item->getIdentifier(), | ||
$permissions, | ||
$item->isAdmin() | ||
); | ||
$calculated_permissions->addItem($control_site_item, TRUE); | ||
} | ||
} | ||
else { | ||
// Neither standard insider nor outside permissions should be required. | ||
$calculated_permissions->removeItemsByScope($scope); | ||
} | ||
} | ||
|
||
} |
Oops, something went wrong.