You are here

Home » API reference » Commerce Core 8.2 » CartEntityAccessTest.php » CartEntityAccessTest

public function CartEntityAccessTest::testViewAccess in Commerce Core 8.2

Tests that users with the view permission can view their own carts.

File

modules/cart/tests/src/Functional/CartEntityAccessTest.php, line 36

Class

CartEntityAccessTest
Tests cart access.

Namespace

Drupal\Tests\commerce_cart\Functional

Code

public function testViewAccess() {
  $customer = $this
    ->drupalCreateUser([
    'access checkout',
    'view own commerce_order',
  ]);

  // Ensure that vaccess checks are respected even if anonymous users have
  // permission to view their own orders.
  user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, [
    'view own commerce_order',
  ]);

  // Authorized cart.
  $cart = \Drupal::service('commerce_cart.cart_provider')
    ->createCart('default', $this->store, $customer);
  assert($cart instanceof OrderInterface);
  $this
    ->drupalLogin($customer);
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->switchSession('anonymous');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $cart
    ->getState()
    ->applyTransitionById('place');
  $cart
    ->save();

  // User can now see placed cart.
  $this->mink
    ->setDefaultSessionName('default');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->switchSession('anonymous');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Anonymous active cart.
  $this
    ->drupalGet('product/' . $this->variation
    ->getProductId());
  $this
    ->submitForm([], 'Add to cart');
  $this->mink
    ->setDefaultSessionName('default');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->switchSession('anonymous2');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this->mink
    ->setDefaultSessionName('anonymous');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Anonymous completed cart.
  $this
    ->drupalGet('checkout/3/login');
  $this
    ->submitForm([], 'Continue as Guest');
  $this
    ->submitForm([
    'contact_information[email]' => 'guest@example.com',
    'contact_information[email_confirm]' => 'guest@example.com',
    'billing_information[profile][address][0][address][given_name]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][family_name]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][organization]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][address_line1]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][postal_code]' => '94043',
    'billing_information[profile][address][0][address][locality]' => 'Mountain View',
    'billing_information[profile][address][0][address][administrative_area]' => 'CA',
  ], 'Continue to review');
  $this
    ->submitForm([], 'Complete checkout');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this->mink
    ->setDefaultSessionName('default');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this->mink
    ->setDefaultSessionName('anonymous2');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
}