CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
revokePermission example
$session->executeScript("jQuery('[data-media-library-widget-value=\"field_unlimited_media\"]').val('1,2,{$unpublished_media->id()}')");
$session->executeScript("jQuery('[data-media-library-widget-update=\"field_unlimited_media\"]').trigger('mousedown')");
$this->assertElementExistsAfterWait('css', '.js-media-library-item');
// Assert the published items are selected and the unpublished item is not // selected. $assert_session->pageTextContains('Horse');
$assert_session->pageTextContains('Bear');
$assert_session->pageTextNotContains('Mosquito');
$this->drupalLogout();
$role = Role::load(RoleInterface::ANONYMOUS_ID);
$role->revokePermission('view media');
$role->save();
// Create a working state. $allowed_types = ['type_one', 'type_two', 'type_three', 'type_four'];
// The opener parameters are not relevant to the test, but the opener // expects them to be there or it will deny access. $state = MediaLibraryState::create('media_library.opener.field_widget', $allowed_types, 'type_three', 2, [
'entity_type_id' => 'node',
'bundle' => 'basic_page',
'field_name' => 'field_unlimited_media',
]);
$session->executeScript("jQuery('[data-media-library-widget-update=\"field_unlimited_media\"]').trigger('mousedown')");
$this->assertElementExistsAfterWait('css', '.js-media-library-item');
// Assert the published items are selected and the unpublished item is not // selected. $assert_session->pageTextContains('Horse');
$assert_session->pageTextContains('Bear');
$assert_session->pageTextNotContains('Mosquito');
$this->drupalLogout();
$role = Role::load(RoleInterface::ANONYMOUS_ID);
$role->revokePermission('view media');
$role->save();
// Create a working state. $allowed_types = ['type_one', 'type_two', 'type_three', 'type_four'];
// The opener parameters are not relevant to the test, but the opener // expects them to be there or it will deny access. $state = MediaLibraryState::create('media_library.opener.field_widget', $allowed_types, 'type_three', 2, [
'entity_type_id' => 'node',
'bundle' => 'basic_page',
'field_name' => 'field_unlimited_media',
]);
$published_node->setUnpublished()->save();
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
// Disallow anonymous users to view the entity, which then should also // disallow them to view the image. $published_node->setPublished()->save();
Role::load(RoleInterface::ANONYMOUS_ID)
->revokePermission('access content')
->save();
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
}
}
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
// Disallow anonymous users to view the entity, which then should also // disallow them to view the image. $published_node->setPublished()->save();
Role::load(RoleInterface::ANONYMOUS_ID)
->revokePermission('access content')
->save();
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
}
}
protected static $modules = ['system', 'user', 'user_permissions_test'];
public function testOrderOfPermissions() {
$role = Role::create(['id' => 'test_role', 'label' => 'Test role']);
$role->grantPermission('b')
->grantPermission('a')
->grantPermission('c')
->save();
$this->assertEquals(['a', 'b', 'c'], $role->getPermissions());
$role->revokePermission('b')->save();
$this->assertEquals(['a', 'c'], $role->getPermissions());
$role->grantPermission('b')->save();
$this->assertEquals(['a', 'b', 'c'], $role->getPermissions());
}
public function testGrantingNonExistentPermission() {
$role = Role::create(['id' => 'test_role', 'label' => 'Test role']);
// A single permission that does not exist. $this->expectException(\RuntimeException::class);
public function testOrderOfPermissions() {
$role = Role::create(['id' => 'test_role', 'label' => 'Test role']);
$role->grantPermission('b')
->grantPermission('a')
->grantPermission('c')
->save();
$this->assertEquals(['a', 'b', 'c'], $role->getPermissions());
$role->revokePermission('b')->save();
$this->assertEquals(['a', 'c'], $role->getPermissions());
$role->grantPermission('b')->save();
$this->assertEquals(['a', 'b', 'c'], $role->getPermissions());
}
public function testGrantingNonExistentPermission() {
$role = Role::create(['id' => 'test_role', 'label' => 'Test role']);
// A single permission that does not exist. $this->expectException(\RuntimeException::class);
protected function setUp(): void {
parent::setUp();
$this->serializer = $this->container->get('jsonapi.serializer');
$this->config('system.logging')->set('error_level', ERROR_REPORTING_HIDE)->save();
// Ensure the anonymous user role has no permissions at all. $user_role = Role::load(RoleInterface::ANONYMOUS_ID);
foreach ($user_role->getPermissions() as $permission) {
$user_role->revokePermission($permission);
}
$user_role->save();
assert([] === $user_role->getPermissions(), 'The anonymous user role has no permissions at all.');
// Ensure the authenticated user role has no permissions at all. $user_role = Role::load(RoleInterface::AUTHENTICATED_ID);
foreach ($user_role->getPermissions() as $permission) {
$user_role->revokePermission($permission);
}
$user_role->save();
assert([] === $user_role->getPermissions(), 'The authenticated user role has no permissions at all.');
$this->drupalGet('media/oembed', ['query' => $no_hash_query]);
$assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
$assert_session->pageTextContains('Client error');
// A correct query should be allowed because the anonymous role has the // 'view media' permission. $this->drupalGet('media/oembed', ['query' => $query]);
$assert_session->pageTextContains('By the power of Grayskull, Vimeo works!');
// Remove the 'view media' permission to test that this restricts access. $role = Role::load(AccountInterface::ANONYMOUS_ROLE);
$role->revokePermission('view media');
$role->save();
$this->drupalGet('media/oembed', ['query' => $query]);
$assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
$assert_session->pageTextContains('Access denied');
}
/** * Tests that a security warning appears if iFrame domain is not set. */
public function testOEmbedSecurityWarning() {
$media_type_id = 'test_media_oembed_type';
$assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
$assert_session->pageTextContains('Client error');
// A correct query should be allowed because the anonymous role has the // 'view media' permission. $this->drupalGet('media/oembed', ['query' => $query]);
$assert_session->pageTextContains('By the power of Grayskull, Vimeo works!');
// Remove the 'view media' permission to test that this restricts access. $role = Role::load(AccountInterface::ANONYMOUS_ROLE);
$role->revokePermission('view media');
$role->save();
$this->drupalGet('media/oembed', ['query' => $query]);
$assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
$assert_session->pageTextContains('Access denied');
}
/** * Tests that a security warning appears if iFrame domain is not set. */
public function testOEmbedSecurityWarning() {
$media_type_id = 'test_media_oembed_type';
$response = $this->request('POST', $url, $request_options);
$this->assertSame(201, $response->getStatusCode());
$expected = $this->getExpectedNormalizedFileEntity();
static::recursiveKSort($expected);
$actual = $this->serializer->decode((string) $response->getBody(), static::$format);
static::recursiveKSort($actual);
$this->assertSame($expected, $actual);
// To still run the complete test coverage for POSTing a Media entity, we // must revoke the additional permissions that we granted. $role = Role::load(static::$auth ? RoleInterface::AUTHENTICATED_ID : RoleInterface::ANONYMOUS_ID);
$role->revokePermission('create camelids media');
$role->trustData()->save();
}
/** * Gets the expected file entity. * * @return array * The expected normalized data array. */
protected function getExpectedNormalizedFileEntity() {
$file = File::load(3);
$this->assertSame(201, $response->getStatusCode());
$expected = $this->getExpectedNormalizedFileEntity();
static::recursiveKSort($expected);
$actual = $this->serializer->decode((string) $response->getBody(), static::$format);
static::recursiveKSort($actual);
$this->assertSame($expected, $actual);
// To still run the complete test coverage for POSTing a Media entity, we // must revoke the additional permissions that we granted. $role = Role::load(static::$auth ? RoleInterface::AUTHENTICATED_ID : RoleInterface::ANONYMOUS_ID);
$role->revokePermission('create camelids media');
$role->trustData()->save();
}
/** * Gets the expected file entity. * * @return array * The expected normalized data array. */
protected function getExpectedNormalizedFileEntity() {
$file = File::load(3);
/**
* {@inheritdoc}
*/
protected function setUp(): void {
parent::setUp();
$this->serializer = $this->container->get('serializer');
// Ensure the anonymous user role has no permissions at all. $user_role = Role::load(RoleInterface::ANONYMOUS_ID);
foreach ($user_role->getPermissions() as $permission) {
$user_role->revokePermission($permission);
}
$user_role->save();
assert([] === $user_role->getPermissions(), 'The anonymous user role has no permissions at all.');
if (static::$auth !== FALSE) {
// Ensure the authenticated user role has no permissions at all. $user_role = Role::load(RoleInterface::AUTHENTICATED_ID);
foreach ($user_role->getPermissions() as $permission) {
$user_role->revokePermission($permission);
}
$user_role->save();
protected function setUp(): void {
parent::setUp();
$this->serializer = $this->container->get('serializer');
// Ensure the anonymous user role has no permissions at all. $user_role = Role::load(RoleInterface::ANONYMOUS_ID);
foreach ($user_role->getPermissions() as $permission) {
$user_role->revokePermission($permission);
}
$user_role->save();
assert([] === $user_role->getPermissions(), 'The anonymous user role has no permissions at all.');
if (static::$auth !== FALSE) {
// Ensure the authenticated user role has no permissions at all. $user_role = Role::load(RoleInterface::AUTHENTICATED_ID);
foreach ($user_role->getPermissions() as $permission) {
$user_role->revokePermission($permission);
}
$user_role->save();
$assert_session->pageTextNotContains('You do not have permission to view media item');
$remove_button->press();
$this->waitForText("Removing Horse.");
$this->waitForText("Horse has been removed.");
// Logout without saving. $this->drupalLogout();
// Create a user who can edit content but not view media. // Must remove permission from authenticated role first, otherwise the new // user will inherit that permission. $role = Role::load(RoleInterface::AUTHENTICATED_ID);
$role->revokePermission('view media');
$role->save();
$non_media_editor = $this->drupalCreateUser([
'access content',
'create basic_page content',
'edit any basic_page content',
]);
$this->drupalLogin($non_media_editor);
// Assert that preview does not reveal media name. $this->drupalGet($node->toUrl('edit-form'));
// There should be no preview name.
$remove_button->press();
$this->waitForText("Removing Horse.");
$this->waitForText("Horse has been removed.");
// Logout without saving. $this->drupalLogout();
// Create a user who can edit content but not view media. // Must remove permission from authenticated role first, otherwise the new // user will inherit that permission. $role = Role::load(RoleInterface::AUTHENTICATED_ID);
$role->revokePermission('view media');
$role->save();
$non_media_editor = $this->drupalCreateUser([
'access content',
'create basic_page content',
'edit any basic_page content',
]);
$this->drupalLogin($non_media_editor);
// Assert that preview does not reveal media name. $this->drupalGet($node->toUrl('edit-form'));
// There should be no preview name.
'value' => '<p>Hello, unsaved world!</p>',
'format' => 'full_html',
];
}
/** * Assert inaccessible items don't change the data of the fields. */
public function testAccess() {
// Revoke the 'view test entity' permission for this test. Role::load(RoleInterface::ANONYMOUS_ID)
->revokePermission('view test entity')
->save();
$field_name = $this->fieldName;
$referencing_entity = $this->container->get('entity_type.manager')
->getStorage($this->entityType)
->create(['name' => $this->randomMachineName()]);
$referencing_entity->save();
$referencing_entity->{$field_name}->entity = $this->referencedEntity;
// Assert user doesn't have access to the entity.
'format' => 'full_html',
];
}
/** * Assert inaccessible items don't change the data of the fields. */
public function testAccess() {
// Revoke the 'view test entity' permission for this test. Role::load(RoleInterface::ANONYMOUS_ID)
->revokePermission('view test entity')
->save();
$field_name = $this->fieldName;
$referencing_entity = $this->container->get('entity_type.manager')
->getStorage($this->entityType)
->create(['name' => $this->randomMachineName()]);
$referencing_entity->save();
$referencing_entity->{$field_name}->entity = $this->referencedEntity;
// Assert user doesn't have access to the entity.
$this->clickViewsOperationLink('Disable', '/glossary/');
// $this->assertSession()->addressEquals('admin/structure/views'); // $this->assertSession()->linkByHrefNotExists($edit_href); // The easiest way to verify it appears on the disabled views listing page // is to try to click the "enable" link from there again. $this->drupalGet('admin/structure/views');
$this->clickViewsOperationLink('Enable', '/glossary/');
$this->assertSession()->addressEquals('admin/structure/views');
$this->assertSession()->linkByHrefExists($edit_href);
// Clear permissions for anonymous users to check access for default views. Role::load(RoleInterface::ANONYMOUS_ID)->revokePermission('access content')->save();
// Test the default views disclose no data by default. $this->drupalLogout();
$this->drupalGet('glossary');
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet('archive');
$this->assertSession()->statusCodeEquals(403);
// Test deleting a view. $this->drupalLogin($this->fullAdminUser);
$this->drupalGet('admin/structure/views');
// $this->assertSession()->addressEquals('admin/structure/views'); // $this->assertSession()->linkByHrefNotExists($edit_href); // The easiest way to verify it appears on the disabled views listing page // is to try to click the "enable" link from there again. $this->drupalGet('admin/structure/views');
$this->clickViewsOperationLink('Enable', '/glossary/');
$this->assertSession()->addressEquals('admin/structure/views');
$this->assertSession()->linkByHrefExists($edit_href);
// Clear permissions for anonymous users to check access for default views. Role::load(RoleInterface::ANONYMOUS_ID)->revokePermission('access content')->save();
// Test the default views disclose no data by default. $this->drupalLogout();
$this->drupalGet('glossary');
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet('archive');
$this->assertSession()->statusCodeEquals(403);
// Test deleting a view. $this->drupalLogin($this->fullAdminUser);
$this->drupalGet('admin/structure/views');
$element = $test_element;
$element['#markup'] = 'this should not be visible';
$output = \Drupal::service('renderer')->renderRoot($element);
$this->assertEquals('content for authenticated users', $output);
// Even though the cache contexts have been optimized to only include 'user' // cache context, the element should have been changed because // 'user.permissions' cache context defined a cache tags for permission // changes, which should have bubbled up for the element when it was // optimized away. Role::load($role)
->revokePermission('administer permissions')
->save();
$element = $test_element;
$element['#markup'] = 'this should be visible';
$output = \Drupal::service('renderer')->renderRoot($element);
$this->assertEquals('this should be visible', $output);
}
/** * Ensures that 'user.roles' still works when it is optimized away. */
public function testUserRolesCacheContextOptimization() {
$element['#markup'] = 'this should not be visible';
$output = \Drupal::service('renderer')->renderRoot($element);
$this->assertEquals('content for authenticated users', $output);
// Even though the cache contexts have been optimized to only include 'user' // cache context, the element should have been changed because // 'user.permissions' cache context defined a cache tags for permission // changes, which should have bubbled up for the element when it was // optimized away. Role::load($role)
->revokePermission('administer permissions')
->save();
$element = $test_element;
$element['#markup'] = 'this should be visible';
$output = \Drupal::service('renderer')->renderRoot($element);
$this->assertEquals('this should be visible', $output);
}
/** * Ensures that 'user.roles' still works when it is optimized away. */
public function testUserRolesCacheContextOptimization() {
$tables = $query->getTables();
// Ensure that the join to node_field_data is not added by default. $this->assertEquals(['node_field_data', 'taxonomy_index'], array_keys($tables));
// Ensure that the filter to the language column is not there by default. $condition = $query->conditions();
// We only want to check the no. of conditions in the query. unset($condition['#conjunction']);
$this->assertCount(1, $condition);
// Clear permissions for anonymous users to check access for default views. Role::load(RoleInterface::ANONYMOUS_ID)->revokePermission('access content')->save();
// Test the default views disclose no data by default. $this->drupalLogout();
$this->drupalGet('taxonomy/term/' . $term->id());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet('taxonomy/term/' . $term->id() . '/feed');
$this->assertSession()->statusCodeEquals(403);
}
}
// Ensure that the join to node_field_data is not added by default. $this->assertEquals(['node_field_data', 'taxonomy_index'], array_keys($tables));
// Ensure that the filter to the language column is not there by default. $condition = $query->conditions();
// We only want to check the no. of conditions in the query. unset($condition['#conjunction']);
$this->assertCount(1, $condition);
// Clear permissions for anonymous users to check access for default views. Role::load(RoleInterface::ANONYMOUS_ID)->revokePermission('access content')->save();
// Test the default views disclose no data by default. $this->drupalLogout();
$this->drupalGet('taxonomy/term/' . $term->id());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet('taxonomy/term/' . $term->id() . '/feed');
$this->assertSession()->statusCodeEquals(403);
}
}